From faa802de5ab50c992abc3ca07f9114b8d2e4e7cf Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 17 Nov 2022 14:49:13 -0800 Subject: [PATCH 01/28] Update NSS to 3.85 (rhbz#214318) --- .gitignore | 1 + nss.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 2e32c54..43c0bc2 100644 --- a/.gitignore +++ b/.gitignore @@ -75,3 +75,4 @@ TestUser51.cert /nss-3.81.tar.gz /nss-3.83.tar.gz /nspr-4.35.tar.gz +/nss-3.85.tar.gz diff --git a/nss.spec b/nss.spec index b975001..e971efe 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.35.0 -%global nss_version 3.83.0 +%global nss_version 3.85.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %baserelease +%global nspr_release %[baserelease+1] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -1093,6 +1093,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Nov 17 2022 Bob Relyea - 3.85.0-1 +- update to NSS 3.83 + * Fri Sep 9 2022 Bob Relyea - 3.83.0-1 - update to NSS 3.83 - update to NSPR 4.35 diff --git a/sources b/sources index b36e034..c9d91e9 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.83.tar.gz) = 550cf1116e39e58041feaa67913f570d791e8153cc0522ba7ae02e27a61e0a4e6a25224be0f25d51a842dc11c70d600263450ebff0a9fdaa2840bafa3fc9ddd5 +SHA512 (nss-3.85.tar.gz) = 97cfffa2beed1dba5d31e0c6e450553e5a8c78b427521640adb00c05d9d63cd64dc08388f0dbf96c93efb79f5daf4ba8db8d026b0b43d2e5c865a9b833fc77a1 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f From 1c86aae27836aeb2211fa64233875c3150a03ae4 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 17 Nov 2022 15:45:22 -0800 Subject: [PATCH 02/28] Fix nss.spec syntax error --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index e971efe..ec5b3a0 100644 --- a/nss.spec +++ b/nss.spec @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[baserelease+1] +%global nspr_release %[%baserelease+1] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 From e88705bd7404468061dc888076479230b21b1833 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Wed, 4 Jan 2023 20:22:08 +0100 Subject: [PATCH 03/28] Update NSS to 3.87 & remove unused patches Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + ....1-revert_rhel8_unsafe_policy_change.patch | 39 - nss-3.65-disable-hw-ppc.patch | 19 - nss-3.79-fix-client-cert-crash.patch | 23 - nss-539183.patch | 62 -- nss-fedora-btrf-sql-hack.patch | 18 - nss-fix-PayPal-upstream.patch | 42 - nss-sql-man-page.patch | 749 ------------------ nss.spec | 9 +- sources | 2 +- 10 files changed, 7 insertions(+), 957 deletions(-) delete mode 100644 nss-3.53.1-revert_rhel8_unsafe_policy_change.patch delete mode 100644 nss-3.65-disable-hw-ppc.patch delete mode 100644 nss-3.79-fix-client-cert-crash.patch delete mode 100644 nss-539183.patch delete mode 100644 nss-fedora-btrf-sql-hack.patch delete mode 100644 nss-fix-PayPal-upstream.patch delete mode 100644 nss-sql-man-page.patch diff --git a/.gitignore b/.gitignore index 43c0bc2..73aa652 100644 --- a/.gitignore +++ b/.gitignore @@ -76,3 +76,4 @@ TestUser51.cert /nss-3.83.tar.gz /nspr-4.35.tar.gz /nss-3.85.tar.gz +/nss-3.87.tar.gz diff --git a/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch b/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch deleted file mode 100644 index 9e39df7..0000000 --- a/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c ---- ./lib/pk11wrap/pk11pars.c.policy_revert 2020-11-04 10:26:59.085300799 -0800 -+++ ./lib/pk11wrap/pk11pars.c 2020-11-04 10:29:52.774239468 -0800 -@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = { - /* Signatures */ - { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, - NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, -- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, -- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, - }; - - typedef struct { -@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] = - { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, - { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, - { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, -- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE }, -+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE }, - }; - - static const optionFreeDef sslOptList[] = { -diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt ---- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800 -+++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800 -@@ -193,7 +193,9 @@ - 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow - 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly - 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly -- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly -+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary -+# compatibility reasons -+# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly - # test default settings - # NOTE: tstclient will attempt to overide the defaults, so we detect we - # were successful by locking in our settings diff --git a/nss-3.65-disable-hw-ppc.patch b/nss-3.65-disable-hw-ppc.patch deleted file mode 100644 index e435bcf..0000000 --- a/nss-3.65-disable-hw-ppc.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up ./lib/freebl/blinit.c.disable_hw_ppc ./lib/freebl/blinit.c ---- ./lib/freebl/blinit.c.disable_hw_ppc 2021-05-27 18:04:59.754657701 -0700 -+++ ./lib/freebl/blinit.c 2021-05-27 18:07:02.756397733 -0700 -@@ -502,6 +502,7 @@ CheckPPCSupport() - char *disable_hw_crypto = PR_GetEnvSecure("NSS_DISABLE_PPC_GHASH"); - - unsigned long hwcaps = 0; -+#ifdef notdef - #if defined(__linux__) - #if __has_include() - hwcaps = getauxval(AT_HWCAP2); -@@ -516,6 +517,7 @@ CheckPPCSupport() - sysctlbyname("hw.cpu_features2", &hwcaps, &len, NULL, 0); - #endif - #endif -+#endif - - ppc_crypto_support_ = hwcaps & PPC_FEATURE2_VEC_CRYPTO && disable_hw_crypto == NULL; - } diff --git a/nss-3.79-fix-client-cert-crash.patch b/nss-3.79-fix-client-cert-crash.patch deleted file mode 100644 index 5f80fdc..0000000 --- a/nss-3.79-fix-client-cert-crash.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c ---- a/lib/ssl/authcert.c -+++ b/lib/ssl/authcert.c -@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg, - pw_arg); - } else { - int nnames = 0; - char **names = ssl_DistNamesToStrings(caNames, &nnames); - rv = CERT_FilterCertListByCANames(certList, nnames, names, - certUsageSSLClient); - ssl_FreeDistNamesStrings(names, nnames); - } -- if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { -+ if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) { - CERT_DestroyCertList(certList); - certList = NULL; - } - } - if (certList == NULL) { - /* no user certs meeting the nickname/usage requirements found */ - return SECFailure; - } - diff --git a/nss-539183.patch b/nss-539183.patch deleted file mode 100644 index 267e71e..0000000 --- a/nss-539183.patch +++ /dev/null @@ -1,62 +0,0 @@ ---- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 -+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 -@@ -953,23 +953,23 @@ - getBoundListenSocket(unsigned short port) - { - PRFileDesc *listen_sock; - int listenQueueDepth = 5 + (2 * maxThreads); - PRStatus prStatus; - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSockett"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(listen_sock, &opt); - if (prStatus < 0) { - PR_Close(listen_sock); - errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); ---- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 -+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 -@@ -1711,23 +1711,23 @@ - getBoundListenSocket(unsigned short port) - { - PRFileDesc *listen_sock; - int listenQueueDepth = 5 + (2 * maxThreads); - PRStatus prStatus; - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSocket error"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(listen_sock, &opt); - if (prStatus < 0) { - PR_Close(listen_sock); - errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/nss-fedora-btrf-sql-hack.patch b/nss-fedora-btrf-sql-hack.patch deleted file mode 100644 index db60cc2..0000000 --- a/nss-fedora-btrf-sql-hack.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c ---- ./lib/softoken/sdb.c.orig 2020-12-11 22:49:26.961726193 -0500 -+++ ./lib/softoken/sdb.c 2020-12-11 23:01:30.739122494 -0500 -@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s - openFlags = SQLITE_OPEN_READONLY; - } else { - openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE; -+ /* btrfs and sqlite seem to incorrectly open readwrite. -+ * when the file is readonly explicitly reject that issue here */ -+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) { -+ return SQLITE_READONLY; -+ } - } - -+ - /* Requires SQLite 3.5.0 or newer. */ - sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL); - if (sqlerr != SQLITE_OK) { diff --git a/nss-fix-PayPal-upstream.patch b/nss-fix-PayPal-upstream.patch deleted file mode 100644 index 71e78cb..0000000 --- a/nss-fix-PayPal-upstream.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff --git a/tests/chains/chains.sh b/tests/chains/chains.sh ---- a/tests/chains/chains.sh -+++ b/tests/chains/chains.sh -@@ -917,7 +917,7 @@ - done - - VFY_OPTS_TNAME="${DB_OPT} ${ENGINE} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${TRUST_OPT}" -- VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" -+ VFY_OPTS_ALL="${DB_OPT} ${ENGINE} -vv ${VFY_TIME_OPT} ${TRUST_AND_DB_OPT} ${REV_OPTS} ${FETCH_OPT} ${USAGE_OPT} ${POLICY_OPT} ${VFY_CERTS} ${TRUST_OPT}" - - TESTNAME="Verifying certificate(s) ${VFY_LIST} with flags ${VFY_OPTS_TNAME}" - echo "${SCRIPTNAME}: ${TESTNAME}" -@@ -1118,6 +1118,7 @@ - ;; - "verify") - VERIFY="${VALUE}" -+ VFY_TIME_OPT= - TRUST= - TRUST_AND_DB= - POLICY= -@@ -1126,6 +1127,9 @@ - REV_OPTS= - USAGE_OPT= - ;; -+ "at_time") -+ VFY_TIME_OPT="-b ${VALUE}" -+ ;; - "cert") - VERIFY="${VERIFY} ${VALUE}" - ;; -diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg ---- a/tests/chains/scenarios/realcerts.cfg -+++ b/tests/chains/scenarios/realcerts.cfg -@@ -22,6 +22,7 @@ - - verify PayPalEE:x - policy OID.2.16.840.1.114412.2.1 -+ at_time 2201010000Z - result pass - - verify BrAirWaysBadSig:x - diff --git a/nss-sql-man-page.patch b/nss-sql-man-page.patch deleted file mode 100644 index 1084856..0000000 --- a/nss-sql-man-page.patch +++ /dev/null @@ -1,749 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1621548343 25200 -# Thu May 20 15:05:43 2021 -0700 -# Node ID 230ce820b8fd9bc542940a324388f6b2b55ecca8 -# Parent 207465bda46a4d6eb07ddef2a3a8232643ff027e -Bug 1712184 NSS tools manpages need to be updated to reflect that sqlite is the default database. - -update certutil.xml pk12util.xml modutil.xml and signver.xml to reflect the fact -the the sql database is default. Many of these also has examples of specifying -sql:dirname which is now the default. I did not replace them with dbm:dirname since -we don't want to encourage regressing back. The one exception is in the paragraph -explaining how to get to the old database format. - - -Differential Revision: https://phabricator.services.mozilla.com/D115658 - -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -203,17 +203,17 @@ If this option is not used, the validity - - Specify the database directory containing the certificate and key database files. - certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). - NSS recognizes the following prefixes: - - sql: requests the newer database - dbm: requests the legacy database - -- If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default. -+ If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then sql: is the default. - - - - - --dump-ext-val OID - For single cert, print binary DER encoding of extension OID. - - -@@ -843,23 +843,23 @@ Comma separated list of one or more of t - - secmod.db or pkcs11.txt - - - - - These databases must be created before certificates or keys can be generated. - --certutil -N -d [sql:]directory -+certutil -N -d directory - - Creating a Certificate Request - - A certificate request contains most or all of the information that is used to generate the final certificate. This request is submitted separately to a certificate authority and is then approved by some mechanism (automatically or by human review). Once the request is approved, then the certificate is generated. - --$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d [sql:]directory [-p phone] [-o output-file] [-a] -+$ certutil -R -k key-type-or-id [-q pqgfile|curve-name] -g key-size -s subject [-h tokenname] -d directory [-p phone] [-o output-file] [-a] - - The command options requires four arguments: - - - - - to specify either the key type to generate or, when renewing a certificate, the existing key pair to use - -@@ -881,27 +881,27 @@ Comma separated list of one or more of t - - - - The new certificate request can be output in ASCII format () or can be written to a specified file (). - - - For example: - --$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d sql:$HOME/nssdb -p 650-555-0123 -a -o cert.cer -+$ certutil -R -k rsa -g 1024 -s "CN=John Smith,O=Example Corp,L=Mountain View,ST=California,C=US" -d $HOME/nssdb -p 650-555-0123 -a -o cert.cer - - Generating key. This may take a few moments... - - - - Creating a Certificate - - A valid certificate must be issued by a trusted CA. This can be done by specifying a CA certificate () that is stored in the certificate database. If a CA key pair is not available, you can create a self-signed certificate using the argument with the command option. - --$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d [sql:]directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] -+$ certutil -S -k rsa|dsa|ec -n certname -s subject [-c issuer |-x] -t trustargs -d directory [-m serial-number] [-v valid-months] [-w offset-months] [-p phone] [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] [--extAIA] [--extSIA] [--extCP] [--extPM] [--extPC] [--extIA] [--extSKID] - - The series of numbers and options set certificate extensions that can be added to the certificate when it is generated by the CA. Interactive prompts will result. - - - For example, this creates a self-signed certificate: - - $ certutil -S -s "CN=Example CA" -n my-ca-cert -x -t "C,C,C" -1 -2 -5 -m 3650 - -@@ -911,55 +911,55 @@ The interative prompts for key usage and - From there, new certificates can reference the self-signed certificate: - - $ certutil -S -s "CN=My Server Cert" -n my-server-cert -c "my-ca-cert" -t ",," -1 -5 -6 -8 -m 730 - - Generating a Certificate from a Certificate Request - - When a certificate request is created, a certificate can be generated by using the request and then referencing a certificate authority signing certificate (the issuer specified in the argument). The issuing certificate must be in the certificate database in the specified directory. - --certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d [sql:]directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] -+certutil -C -c issuer -i cert-request-file -o output-file [-m serial-number] [-v valid-months] [-w offset-months] -d directory [-1] [-2] [-3] [-4] [-5 keyword] [-6 keyword] [-7 emailAddress] [-8 dns-names] - - For example: - --$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d sql:$HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com -+$ certutil -C -c "my-ca-cert" -i /home/certs/cert.req -o cert.cer -m 010 -v 12 -w 1 -d $HOME/nssdb -1 nonRepudiation,dataEncipherment -5 sslClient -6 clientAuth -7 jsmith@example.com - - Listing Certificates - - The command option lists all of the certificates listed in the certificate database. The path to the directory () is required. - --$ certutil -L -d sql:/home/my/sharednssdb -+$ certutil -L -d /home/my/sharednssdb - - Certificate Nickname Trust Attributes - SSL,S/MIME,JAR/XPI - - CA Administrator of Instance pki-ca1's Example Domain ID u,u,u - TPS Administrator's Example Domain ID u,u,u - Google Internet Authority ,, - Certificate Authority - Example Domain CT,C,C - - Using additional arguments with can return and print the information for a single, specific certificate. For example, the argument passes the certificate name, while the argument prints the certificate in ASCII format: - - --$ certutil -L -d sql:$HOME/nssdb -a -n my-ca-cert -+$ certutil -L -d $HOME/nssdb -a -n my-ca-cert - -----BEGIN CERTIFICATE----- - MIIB1DCCAT2gAwIBAgICDkIwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKRXhh - bXBsZSBDQTAeFw0xMzAzMTMxOTEwMjlaFw0xMzA2MTMxOTEwMjlaMBUxEzARBgNV - BAMTCkV4YW1wbGUgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJ4Kzqvz - JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0Cul/6sO/gsCvnABHiH6unns6x - XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk - 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB - AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B - AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 - XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF - ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== - -----END CERTIFICATE----- - - For a human-readable display --$ certutil -L -d sql:$HOME/nssdb -n my-ca-cert -+$ certutil -L -d $HOME/nssdb -n my-ca-cert - Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3650 (0xe42) - Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption - Issuer: "CN=Example CA" - Validity: - Not Before: Wed Mar 13 19:10:29 2013 -@@ -1022,17 +1022,17 @@ Certificate: - - Listing Keys - - Keys are the original material used to encrypt certificate data. The keys generated for certificates are stored separately, in the key database. - - - To list all keys in the database, use the command option and the (required) argument to give the path to the directory. - --$ certutil -K -d sql:$HOME/nssdb -+$ certutil -K -d $HOME/nssdb - certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services " - < 0> rsa 455a6673bde9375c2887ec8bf8016b3f9f35861d Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - < 1> rsa 40defeeb522ade11090eacebaaf1196a172127df Example Domain Administrator Cert - < 2> rsa 1d0b06f44f6c03842f7d4f4a1dc78b3bcd1b85a5 John Smith user cert - - There are ways to narrow the keys listed in the search results: - - -@@ -1052,111 +1052,111 @@ certutil: Checking token "NSS Certificat - - - - - Listing Security Modules - - The devices that can be used to store certificates -- both internal databases and external devices like smart cards -- are recognized and used by loading security modules. The command option lists all of the security modules listed in the secmod.db database. The path to the directory () is required. - --$ certutil -U -d sql:/home/my/sharednssdb -+$ certutil -U -d /home/my/sharednssdb - - slot: NSS User Private Key and Certificate Services - token: NSS Certificate DB - uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services - uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - Adding Certificates to the Database - - Existing certificates or certificate requests can be added manually to the certificate database, even if they were generated elsewhere. This uses the command option. - --certutil -A -n certname -t trustargs -d [sql:]directory [-a] [-i input-file] -+certutil -A -n certname -t trustargs -d directory [-a] [-i input-file] - - For example: - --$ certutil -A -n "CN=My SSL Certificate" -t ",," -d sql:/home/my/sharednssdb -i /home/example-certs/cert.cer -+$ certutil -A -n "CN=My SSL Certificate" -t ",," -d /home/my/sharednssdb -i /home/example-certs/cert.cer - - A related command option, , is used specifically to add email certificates to the certificate database. The command has the same arguments as the command. The trust arguments for certificates have the format SSL,S/MIME,Code-signing, so the middle trust settings relate most to email certificates (though the others can be set). For example: - --$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d sql:/home/my/sharednssdb -i /home/example-certs/email.cer -+$ certutil -E -n "CN=John Smith Email Cert" -t ",P," -d /home/my/sharednssdb -i /home/example-certs/email.cer - - Deleting Certificates to the Database - - Certificates can be deleted from a database using the option. The only required options are to give the security database directory and to identify the certificate nickname. - --certutil -D -d [sql:]directory -n "nickname" -+certutil -D -d directory -n "nickname" - - For example: - --$ certutil -D -d sql:/home/my/sharednssdb -n "my-ssl-cert" -+$ certutil -D -d /home/my/sharednssdb -n "my-ssl-cert" - - Validating Certificates - - A certificate contains an expiration date in itself, and expired certificates are easily rejected. However, certificates can also be revoked before they hit their expiration date. Checking whether a certificate has been revoked requires validating the certificate. Validation can also be used to ensure that the certificate is only used for the purposes it was initially issued for. Validation is carried out by the command option. - --certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d [sql:]directory -+certutil -V -n certificate-name [-b time] [-e] [-u cert-usage] -d directory - - For example, to validate an email certificate: - --$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d sql:/home/my/sharednssdb -+$ certutil -V -n "John Smith's Email Cert" -e -u S,R -d /home/my/sharednssdb - - Modifying Certificate Trust Settings - - The trust settings (which relate to the operations that a certificate is allowed to be used for) can be changed after a certificate is created or added to the database. This is especially useful for CA certificates, but it can be performed for any type of certificate. - --certutil -M -n certificate-name -t trust-args -d [sql:]directory -+certutil -M -n certificate-name -t trust-args -d directory - - For example: - --$ certutil -M -n "My CA Certificate" -d sql:/home/my/sharednssdb -t "CT,CT,CT" -+$ certutil -M -n "My CA Certificate" -d /home/my/sharednssdb -t "CT,CT,CT" - - Printing the Certificate Chain - - Certificates can be issued in chains because every certificate authority itself has a certificate; when a CA issues a certificate, it essentially stamps that certificate with its own fingerprint. The prints the full chain of a certificate, going from the initial CA (the root CA) through ever intermediary CA to the actual certificate. For example, for an email certificate with two CAs in the chain: - --$ certutil -d sql:/home/my/sharednssdb -O -n "jsmith@example.com" -+$ certutil -d /home/my/sharednssdb -O -n "jsmith@example.com" - "Builtin Object Token:Thawte Personal Freemail CA" [E=personal-freemail@thawte.com,CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA] - - "Thawte Personal Freemail Issuing CA - Thawte Consulting" [CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA] - - "(null)" [E=jsmith@example.com,CN=Thawte Freemail Member] - - Resetting a Token - - The device which stores certificates -- both external hardware devices and internal software databases -- can be blanked and reused. This operation is performed on the device which stores the data, not directly on the security databases, so the location must be referenced through the token name () as well as any directory path. If there is no external token used, the default value is internal. - --certutil -T -d [sql:]directory -h token-name -0 security-officer-password -+certutil -T -d directory -h token-name -0 security-officer-password - - Many networks have dedicated personnel who handle changes to security tokens (the security officer). This person must supply the password to access the specified token. For example: - --$ certutil -T -d sql:/home/my/sharednssdb -h nethsm -0 secret -+$ certutil -T -d /home/my/sharednssdb -h nethsm -0 secret - - Upgrading or Merging the Security Databases - - Many networks or applications may be using older BerkeleyDB versions of the certificate database (cert8.db). Databases can be upgraded to the new SQLite version of the database (cert9.db) using the command option or existing databases can be merged with the new cert9.db databases using the command. - - - The command must give information about the original database and then use the standard arguments (like ) to give the information about the new databases. The command also requires information that the tool uses for the process to upgrade and write over the original database. - --certutil --upgrade-merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] -+certutil --upgrade-merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix --upgrade-id id --upgrade-token-name name [-@ password-file] - - For example: - --$ certutil --upgrade-merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal -+$ certutil --upgrade-merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- --upgrade-id 1 --upgrade-token-name internal - - The command only requires information about the location of the original database; since it doesn't change the format of the database, it can write over information without performing interim step. - --certutil --merge -d [sql:]directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] -+certutil --merge -d directory [-P dbprefix] --source-dir directory --source-prefix dbprefix [-@ password-file] - - For example: - --$ certutil --merge -d sql:/home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- -+$ certutil --merge -d /home/my/sharednssdb --source-dir /opt/my-app/alias/ --source-prefix serverapp- - - Running certutil Commands from a Batch File - - A series of commands can be run sequentially from a text file with the command option. The only argument for this specifies the input file. - - $ certutil -B -i /path/to/batch-file - - -@@ -1202,27 +1202,26 @@ BerkeleyDB. These new databases provide - - pkcs11.txt, a listing of all of the PKCS #11 modules, contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --$ certutil -L -d sql:/home/my/sharednssdb -+$ certutil -L -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be set added to the ~/.bashrc file to make the change permanent. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/modutil.xml b/doc/modutil.xml ---- a/doc/modutil.xml -+++ b/doc/modutil.xml -@@ -144,24 +144,24 @@ - - - - -ciphers cipher-enable-list - Enable specific ciphers in a module that is being added to the database. The cipher-enable-list is a colon-delimited list of cipher names. Enclose this list in quotation marks if it contains spaces. - - - -- -dbdir [sql:]directory -+ -dbdir directory - Specify the database directory in which to access or create security module database files. -- modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ modutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in SQLite format. - - - - --dbprefix prefix -- Specify the prefix used on the database files, such as my_ for my_cert8.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. -+ Specify the prefix used on the database files, such as my_ for my_cert9.db. This option is provided as a special case. Changing the names of the certificate and key databases is not recommended. - - - - -installdir root-installation-directory - Specify the root installation directory relative to which files will be installed by the option. This directory should be one below which it is appropriate to store dynamic library files, such as a server's root directory. - - - -@@ -224,23 +224,23 @@ - - - - - Usage and Examples - - Creating Database Files - Before any operations can be performed, there must be a set of security databases available. modutil can be used to create these files. The only required argument is the database that where the databases will be located. --modutil -create -dbdir [sql:]directory -+modutil -create -dbdir directory - - Adding a Cryptographic Module - Adding a PKCS #11 module means submitting a supporting library file, enabling its ciphers, and setting default provider status for various security mechanisms. This can be done by supplying all of the information through modutil directly or by running a JAR file and install script. For the most basic case, simply upload the library: - modutil -add modulename -libfile library-file [-ciphers cipher-enable-list] [-mechanisms mechanism-list] - For example: --modutil -dbdir sql:/home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM -+modutil -dbdir /home/my/sharednssdb -add "Example PKCS #11 Module" -libfile "/tmp/crypto.so" -mechanisms RSA:DSA:RC2:RANDOM - - Using database directory ... - Module "Example PKCS #11 Module" added to database. - - - - Installing a Cryptographic Module from a JAR File - PKCS #11 modules can also be loaded using a JAR file, which contains all of the required libraries and an installation script that describes how to install the module. The JAR install script is described in more detail in . -@@ -262,17 +262,17 @@ Module "Example PKCS #11 Module" added t - } - } - Linux:6.0.0:x86 { - EquivalentPlatform { Linux:5.4.08:x86 } - } - } - Both the install script and the required libraries must be bundled in a JAR file, which is specified with the argument. - --modutil -dbdir sql:/home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir sql:/home/my/sharednssdb -+modutil -dbdir /home/mt"jar-install-filey/sharednssdb -jar install.jar -installdir /home/my/sharednssdb - - This installation JAR file was signed by: - ---------------------------------------------- - - **SUBJECT NAME** - - C=US, ST=California, L=Mountain View, CN=Cryptorific Inc., OU=Digital ID - Class 3 - Netscape Object Signing, OU="www.verisign.com/repository/CPS -@@ -299,42 +299,42 @@ Installation completed successfully Adding Module Spec - Each module has information stored in the security database about its configuration and parameters. These can be added or edited using the command. For the current settings or to see the format of the module spec in the database, use the option. - modutil -rawadd modulespec - - - Deleting a Module - A specific PKCS #11 module can be deleted from the secmod.db database: --modutil -delete modulename -dbdir [sql:]directory -+modutil -delete modulename -dbdir directory - - Displaying Module Information - The secmod.db database contains information about the PKCS #11 modules that are available to an application or server to use. The list of all modules, information about specific modules, and database configuration specs for modules can all be viewed. - To simply get a list of modules in the database, use the command. --modutil -list [modulename] -dbdir [sql:]directory -+modutil -list [modulename] -dbdir directory - Listing the modules shows the module name, their status, and other associated security databases for certificates and keys. For example: - --modutil -list -dbdir sql:/home/my/sharednssdb -+modutil -list -dbdir /home/my/sharednssdb - - Listing of PKCS #11 Modules - ----------------------------------------------------------- - 1. NSS Internal PKCS #11 Module - slots: 2 slots attached - status: loaded - - slot: NSS Internal Cryptographic Services - token: NSS Generic Crypto Services - uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - - slot: NSS User Private Key and Certificate Services - token: NSS Certificate DB - uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 - ----------------------------------------------------------- - Passing a specific module name with the returns details information about the module itself, like supported cipher mechanisms, version numbers, serial numbers, and other information about the module and the token it is loaded on. For example: -- modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/home/my/sharednssdb -+ modutil -list "NSS Internal PKCS #11 Module" -dbdir /home/my/sharednssdb - - ----------------------------------------------------------- - Name: NSS Internal PKCS #11 Module - Library file: **Internal ONLY module** - Manufacturer: Mozilla Foundation - Description: NSS Internal Crypto Services - PKCS #11 Version 2.20 - Library Version: 3.11 -@@ -370,17 +370,17 @@ Default Mechanism Flags: RSA:RC2:RC4:DES - Token Model: NSS 3 - Token Serial Number: 0000000000000000 - Token Version: 8.3 - Token Firmware Version: 0.0 - Access: NOT Write Protected - Login Type: Login required - User Pin: Initialized - A related command, returns information about the database configuration for the modules. (This information can be edited by loading new specs using the command.) -- modutil -rawlist -dbdir sql:/home/my/sharednssdb -+ modutil -rawlist -dbdir /home/my/sharednssdb - name="NSS Internal PKCS #11 Module" parameters="configdir=. certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" - - Setting a Default Provider for Security Mechanisms - Multiple security modules may provide support for the same security mechanisms. It is possible to set a specific security module as the default provider for a specific security mechanism (or, conversely, to prohibit a provider from supplying those mechanisms). - modutil -default modulename -mechanisms mechanism-list - To set a module as the default provider for mechanisms, use the command with a colon-separated list of mechanisms. The available mechanisms depend on the module; NSS supplies almost all common mechanisms. For example: - modutil -default "NSS Internal PKCS #11 Module" -dbdir -mechanisms RSA:DSA:RC2 - -@@ -398,29 +398,29 @@ Successfully changed defaults.For example: - modutil -enable "NSS Internal PKCS #11 Module" -slot "NSS Internal Cryptographic Services " -dbdir . - - Slot "NSS Internal Cryptographic Services " enabled. - Be sure that the appropriate amount of trailing whitespace is after the slot name. Some slot names have a significant amount of whitespace that must be included, or the operation will fail. - - Enabling and Verifying FIPS Compliance - The NSS modules can have FIPS 140-2 compliance enabled or disabled using modutil with the option. For example: --modutil -fips true -dbdir sql:/home/my/sharednssdb/ -+modutil -fips true -dbdir /home/my/sharednssdb/ - - FIPS mode enabled. - To verify that status of FIPS mode, run the command with either a true or false flag (it doesn't matter which). The tool returns the current FIPS setting. --modutil -chkfips false -dbdir sql:/home/my/sharednssdb/ -+modutil -chkfips false -dbdir /home/my/sharednssdb/ - - FIPS mode enabled. - - Changing the Password on a Token - - Initializing or changing a token's password: - modutil -changepw tokenname [-pwfile old-password-file] [-newpwfile new-password-file] --modutil -dbdir sql:/home/my/sharednssdb -changepw "NSS Certificate DB" -+modutil -dbdir /home/my/sharednssdb -changepw "NSS Certificate DB" - - Enter old password: - Incorrect password, try again... - Enter old password: - Enter new password: - Re-enter new password: - Token "Communicator Certificate DB" password changed successfully. - -@@ -684,27 +684,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type. -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --modutil -create -dbdir sql:/home/my/sharednssdb -+modutil -create -dbdir dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be added to the ~/.bashrc file to make the change permanent for the user. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/pk12util.xml b/doc/pk12util.xml ---- a/doc/pk12util.xml -+++ b/doc/pk12util.xml -@@ -25,17 +25,17 @@ - - - - - pk12util - -i p12File|-l p12File|-o p12File - -c keyCipher - -C certCipher -- -d [sql:]directory -+ -d directory - -h tokenname - -m | --key-len keyLength - -M hashAlg - -n certname - -P dbprefix - -r - -v - --cert-key-len certKeyLength -@@ -83,19 +83,19 @@ - - - - -C certCipher - Specify the certiticate encryption algorithm. - - - -- -d [sql:]directory -+ -d directory - Specify the database directory into which to import to or export from certificates and keys. -- pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ pk12util supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. - - - - -h tokenname - Specify the name of the token to import into or export from. - - - -@@ -244,44 +244,44 @@ - - - - Examples - Importing Keys and Certificates - The most basic usage of pk12util for importing a certificate or key is the PKCS #12 input file () and some way to specify the security database being accessed (either for a directory or for a token). - - -- pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -i p12File [-h tokenname] [-v] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - - For example: - -- # pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb -+ # pk12util -i /tmp/cert-files/users.p12 -d /home/my/sharednssdb - - Enter a password which will be used to encrypt your keys. - The password should be at least 8 characters long, - and should contain at least one non-alphabetic character. - - Enter new password: - Re-enter password: - Enter password for PKCS12 file: - pk12util: PKCS12 IMPORT SUCCESSFUL - - Exporting Keys and Certificates - Using the pk12util command to export certificates and keys requires both the name of the certificate to extract from the database () and the PKCS #12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material. - -- pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - For example: -- # pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb -+ # pk12util -o certs.p12 -n Server-Cert -d /home/my/sharednssdb - Enter password for PKCS12 file: - Re-enter password: - - Listing Keys and Certificates - The information in a .p12 file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the .p12 file. - -- pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] -+ pk12util -l p12File [-h tokenname] [-r] [-d directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword] - For example, this prints the default ASCII output: - # pk12util -l certs.p12 - - Enter password for PKCS12 file: - Key(shrouded): - Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID - - Encryption algorithm: PKCS #12 V2 PBE With SHA-1 And 3KEY Triple DES-CBC -@@ -389,27 +389,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --# pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb -+# pk12util -i /tmp/cert-files/users.p12 -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be set added to the ~/.bashrc file to make the change permanent. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - -diff --git a/doc/signver.xml b/doc/signver.xml ---- a/doc/signver.xml -+++ b/doc/signver.xml -@@ -59,19 +59,19 @@ - -A - Displays all of the information in the PKCS#7 signature. - - - -V - Verifies the digital signature. - - -- -d [sql:]directory -+ -d directory - Specify the database directory which contains the certificates and keys. -- signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix sql: is not used, then the tool assumes that the given databases are in the old format. -+ signver supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). If the prefix dbm: is not used, then the tool assumes that the given databases are in the SQLite format. - - - -a - Sets that the given signature file is in ASCII format. - - - -i input_file - Gives the input file for the object with signed data. -@@ -90,17 +90,17 @@ - - - - - - Extended Examples - Verifying a Signature - The option verifies that the signature in a given signature file is valid when used to sign the given object (from the input file). --signver -V -s signature_file -i signed_file -d sql:/home/my/sharednssdb -+signver -V -s signature_file -i signed_file -d /home/my/sharednssdb - - signatureValid=yes - - - Printing Signature Data - - The option prints all of the information contained in a signature file. Using the option prints the signature file information to the given output file rather than stdout. - -@@ -150,27 +150,26 @@ BerkleyDB. These new databases provide m - - pkcs11.txt, which is listing of all of the PKCS #11 modules contained in a new subdirectory in the security databases directory - - - - - Because the SQLite databases are designed to be shared, these are the shared database type. The shared database type is preferred; the legacy format is included for backward compatibility. - --By default, the tools (certutil, pk12util, modutil) assume that the given security databases follow the more common legacy type. --Using the SQLite databases must be manually specified by using the sql: prefix with the given security directory. For example: -+By default, the tools (certutil, pk12util, modutil) assume that the given security databases use the SQLite type -+Using the legacy databases must be manually specified by using the dbm: prefix with the given security directory. For example: - --# signver -A -s signature -d sql:/home/my/sharednssdb -+# signver -A -s signature -d dbm:/home/my/sharednssdb - --To set the shared database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to sql: --export NSS_DEFAULT_DB_TYPE="sql" -+To set the legacy database type as the default type for the tools, set the NSS_DEFAULT_DB_TYPE environment variable to dbm: -+export NSS_DEFAULT_DB_TYPE="dbm" - - This line can be added to the ~/.bashrc file to make the change permanent for the user. - --Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases: - - - - https://wiki.mozilla.org/NSS_Shared_DB_Howto - - - For an engineering draft on the changes in the shared NSS databases, see the NSS project wiki: - diff --git a/nss.spec b/nss.spec index ec5b3a0..23cd642 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.35.0 -%global nss_version 3.85.0 +%global nss_version 3.87.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+1] +%global nspr_release %[%baserelease+2] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -131,8 +131,6 @@ Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch -# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 -Patch50: nss-3.79-fix-client-cert-crash.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 Patch51: nss-3.79-dbtool.patch @@ -1093,6 +1091,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Jan 10 2023 Frantisek Krenzelok - 3.87.0-1 +- Update NSS to 3.87 & remove unused patches + * Thu Nov 17 2022 Bob Relyea - 3.85.0-1 - update to NSS 3.83 diff --git a/sources b/sources index c9d91e9..48fb43b 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.85.tar.gz) = 97cfffa2beed1dba5d31e0c6e450553e5a8c78b427521640adb00c05d9d63cd64dc08388f0dbf96c93efb79f5daf4ba8db8d026b0b43d2e5c865a9b833fc77a1 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f +SHA512 (nss-3.87.tar.gz) = 4ec7b94e537df109638b821f3a7e3b7bf31d89c3739a6e4c85cad4fab876390ae482971d6f66198818400f467661e86f39dc1d2a4a88077fd81e3a0b7ed64110 From ea71f8dfa8fed0aa7d31be99dac6f2ad76f0f9ea Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 19 Jan 2023 21:49:27 +0000 Subject: [PATCH 04/28] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- nss.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 23cd642..1f4bd88 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -1091,6 +1091,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jan 19 2023 Fedora Release Engineering - 3.87.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Tue Jan 10 2023 Frantisek Krenzelok - 3.87.0-1 - Update NSS to 3.87 & remove unused patches From 798366837031b4989bd178b1f64e2760d7c2fee8 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Tue, 24 Jan 2023 14:03:27 -0800 Subject: [PATCH 05/28] Fix compile issues found during the Fedora 38 rebuild. (SECStatus is an enum and can't be assigned to and int) --- nss-3.85-fedora-rebuild-errors.patch | 24 ++++++++++++++++++++++++ nss.spec | 6 ++++++ 2 files changed, 30 insertions(+) create mode 100644 nss-3.85-fedora-rebuild-errors.patch diff --git a/nss-3.85-fedora-rebuild-errors.patch b/nss-3.85-fedora-rebuild-errors.patch new file mode 100644 index 0000000..266a394 --- /dev/null +++ b/nss-3.85-fedora-rebuild-errors.patch @@ -0,0 +1,24 @@ +diff -up ./lib/ssl/ssl3exthandle.c.rebuild_errors ./lib/ssl/ssl3exthandle.c +--- ./lib/ssl/ssl3exthandle.c.rebuild_errors 2023-01-24 09:26:36.520183263 -0800 ++++ ./lib/ssl/ssl3exthandle.c 2023-01-24 09:27:07.715379228 -0800 +@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData * + * Clients sends a filled in session ticket if one is available, and otherwise + * sends an empty ticket. Servers always send empty tickets. + */ +-PRInt32 ++SECStatus + ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, + sslBuffer *buf, PRBool *added) + { +diff -up ./lib/ssl/sslsnce.c.rebuild_errors ./lib/ssl/sslsnce.c +--- ./lib/ssl/sslsnce.c.rebuild_errors 2023-01-24 09:44:52.714977837 -0800 ++++ ./lib/ssl/sslsnce.c 2023-01-24 09:46:20.993510435 -0800 +@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKe + return SECSuccess; + } + +-static PRBool ++static SECStatus + ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, + PK11SymKey **aesKey, PK11SymKey **macKey); + diff --git a/nss.spec b/nss.spec index 1f4bd88..ff7b7d4 100644 --- a/nss.spec +++ b/nss.spec @@ -134,6 +134,9 @@ Patch40: nss-no-dbm-man-page.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 Patch51: nss-3.79-dbtool.patch +# fix rebuilds error +Patch52: nss-3.85-fedora-rebuild-errors.patch + Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1091,6 +1094,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Jan 24 2023 Bob Relyea - 3.87.0-2 +- Fix rebuild errors + * Thu Jan 19 2023 Fedora Release Engineering - 3.87.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 9a23e7f5cd215769ff27ba53de822e668ba6a496 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 10 Feb 2023 16:42:33 +0100 Subject: [PATCH 06/28] Update NSS to 3.88.1 Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 73aa652..e89f80b 100644 --- a/.gitignore +++ b/.gitignore @@ -77,3 +77,4 @@ TestUser51.cert /nspr-4.35.tar.gz /nss-3.85.tar.gz /nss-3.87.tar.gz +/nss-3.88.1.tar.gz diff --git a/nss.spec b/nss.spec index ff7b7d4..8d4c9a6 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.35.0 -%global nss_version 3.87.0 +%global nss_version 3.88.1 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+2] +%global nspr_release %[%baserelease+3] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -1094,6 +1094,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri Feb 10 2023 Frantisek Krenzelok - 3.88.1-1 +- Update NSS to 3.88.1 + * Tue Jan 24 2023 Bob Relyea - 3.87.0-2 - Fix rebuild errors diff --git a/sources b/sources index 48fb43b..d91999e 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f -SHA512 (nss-3.87.tar.gz) = 4ec7b94e537df109638b821f3a7e3b7bf31d89c3739a6e4c85cad4fab876390ae482971d6f66198818400f467661e86f39dc1d2a4a88077fd81e3a0b7ed64110 +SHA512 (nss-3.88.1.tar.gz) = d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a From ef1f194244b8c32a4085a153443b4c77dc18ad35 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 10 Mar 2023 11:37:32 +0000 Subject: [PATCH 07/28] Update NSS to 3.89.0 & remove unused patch Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss-3.85-fedora-rebuild-errors.patch | 24 ------------------------ nss.spec | 10 +++++----- sources | 2 +- 4 files changed, 7 insertions(+), 30 deletions(-) delete mode 100644 nss-3.85-fedora-rebuild-errors.patch diff --git a/.gitignore b/.gitignore index e89f80b..36c04a5 100644 --- a/.gitignore +++ b/.gitignore @@ -78,3 +78,4 @@ TestUser51.cert /nss-3.85.tar.gz /nss-3.87.tar.gz /nss-3.88.1.tar.gz +/nss-3.89.tar.gz diff --git a/nss-3.85-fedora-rebuild-errors.patch b/nss-3.85-fedora-rebuild-errors.patch deleted file mode 100644 index 266a394..0000000 --- a/nss-3.85-fedora-rebuild-errors.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff -up ./lib/ssl/ssl3exthandle.c.rebuild_errors ./lib/ssl/ssl3exthandle.c ---- ./lib/ssl/ssl3exthandle.c.rebuild_errors 2023-01-24 09:26:36.520183263 -0800 -+++ ./lib/ssl/ssl3exthandle.c 2023-01-24 09:27:07.715379228 -0800 -@@ -201,7 +201,7 @@ ssl3_FreeSniNameArray(TLSExtensionData * - * Clients sends a filled in session ticket if one is available, and otherwise - * sends an empty ticket. Servers always send empty tickets. - */ --PRInt32 -+SECStatus - ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, - sslBuffer *buf, PRBool *added) - { -diff -up ./lib/ssl/sslsnce.c.rebuild_errors ./lib/ssl/sslsnce.c ---- ./lib/ssl/sslsnce.c.rebuild_errors 2023-01-24 09:44:52.714977837 -0800 -+++ ./lib/ssl/sslsnce.c 2023-01-24 09:46:20.993510435 -0800 -@@ -1820,7 +1820,7 @@ ssl_GetSelfEncryptKeyPair(SECKEYPublicKe - return SECSuccess; - } - --static PRBool -+static SECStatus - ssl_GenerateSelfEncryptKeys(void *pwArg, PRUint8 *keyName, - PK11SymKey **aesKey, PK11SymKey **macKey); - diff --git a/nss.spec b/nss.spec index 8d4c9a6..f99f80a 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.35.0 -%global nss_version 3.88.1 +%global nss_version 3.89.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+3] +%global nspr_release %[%baserelease+4] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -134,9 +134,6 @@ Patch40: nss-no-dbm-man-page.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 Patch51: nss-3.79-dbtool.patch -# fix rebuilds error -Patch52: nss-3.85-fedora-rebuild-errors.patch - Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1094,6 +1091,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri Mar 10 2023 Frantisek Krenzelok - 3.89.0-1 +- Update NSS to 3.89.0 + * Fri Feb 10 2023 Frantisek Krenzelok - 3.88.1-1 - Update NSS to 3.88.1 diff --git a/sources b/sources index d91999e..1e9ca85 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f -SHA512 (nss-3.88.1.tar.gz) = d15289803a4c3caa1b7a8872b761a95b4f571688c8b8ffaf2a1478e032a356fbcf8a9239ebe1777561503329f63dd237384e1d8af9ca70fb48b40e70954b455a +SHA512 (nss-3.89.tar.gz) = 1db06d4575f2c16d2a0629007981211e714f99c014c0a6256dd33d0caf8c809ba8d5be204d018f9d1cc99b9fcd055ac1fb99b399486ed43c9cf3f55f2747de82 From ed6e518933b7e73d0e04d5eae93a9e4d8afcdc40 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Wed, 5 Apr 2023 15:49:23 -0700 Subject: [PATCH 08/28] Disable GCC dangling-pointer warning to make build work See https://bugzilla.mozilla.org/show_bug.cgi?id=1826650 - with very recent GCC 13, nss build fails on this warning. jschanck is working on a fix, but his first cut didn't work and I really want a build done so we can get a Firefox build done. --- nss.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nss.spec b/nss.spec index f99f80a..a3347fa 100644 --- a/nss.spec +++ b/nss.spec @@ -387,6 +387,10 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized" # Similarly, but for gcc-11 export XCFLAGS="$XCFLAGS -Wno-array-parameter" +# aaaand gcc-133: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1826650 +export XCFLAGS="$XCFLAGS -Wno-dangling-pointer" + export LDFLAGS=$RPM_LD_FLAGS export DSO_LDOPTS=$RPM_LD_FLAGS From 12fcec8a233399c735299fcf84b6eed8181558b9 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Thu, 6 Apr 2023 11:06:30 -0700 Subject: [PATCH 09/28] Replace dangling pointer workaround with a patch from upstream --- nss-3.89-dangling.patch | 78 +++++++++++++++++++++++++++++++++++++++++ nss.spec | 9 ++--- 2 files changed, 83 insertions(+), 4 deletions(-) create mode 100644 nss-3.89-dangling.patch diff --git a/nss-3.89-dangling.patch b/nss-3.89-dangling.patch new file mode 100644 index 0000000..ea4690c --- /dev/null +++ b/nss-3.89-dangling.patch @@ -0,0 +1,78 @@ +diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c +--- a/cmd/ecperf/ecperf.c ++++ b/cmd/ecperf/ecperf.c +@@ -51,10 +51,11 @@ + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; + CK_SESSION_HANDLE session; + CK_RV crv; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; + + /* get our thread's session */ +@@ -66,10 +67,11 @@ + } + + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + + while (iters--) { + threadData->status = (*op)(session, threadData->p1, +@@ -77,27 +79,33 @@ + if (threadData->status != SECSuccess) { + break; + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + + void + genericThread(void *data) + { + ThreadData *threadData = (ThreadData *)data; + int iters = threadData->iters; + unsigned char sigData[256]; + SECItem sig; ++ void *tmp = NULL; + + threadData->status = SECSuccess; + threadData->count = 0; + + if (threadData->isSign) { + sig.data = sigData; + sig.len = sizeof(sigData); ++ tmp = threadData->p2; + threadData->p2 = (void *)&sig; + } + + while (iters--) { + threadData->status = (*threadData->op)(threadData->p1, +@@ -105,10 +113,14 @@ + if (threadData->status != SECSuccess) { + break; + } + threadData->count++; + } ++ ++ if (threadData->isSign) { ++ threadData->p2 = tmp; ++ } + return; + } + + /* Time iter repetitions of operation op. */ + SECStatus + + diff --git a/nss.spec b/nss.spec index a3347fa..43653a5 100644 --- a/nss.spec +++ b/nss.spec @@ -134,6 +134,11 @@ Patch40: nss-no-dbm-man-page.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 Patch51: nss-3.79-dbtool.patch +# Fix build with recent GCC 13 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1826650 +# https://bugzilla.mozilla.org/attachment.cgi?id=9327255 +Patch52: nss-3.89-dangling.patch + Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -387,10 +392,6 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized" # Similarly, but for gcc-11 export XCFLAGS="$XCFLAGS -Wno-array-parameter" -# aaaand gcc-133: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1826650 -export XCFLAGS="$XCFLAGS -Wno-dangling-pointer" - export LDFLAGS=$RPM_LD_FLAGS export DSO_LDOPTS=$RPM_LD_FLAGS From 2360d75a85bec7019ba871532c1ca0016dcc47cc Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 5 May 2023 15:13:05 +0200 Subject: [PATCH 10/28] Use %{nss_version} explicitly insted of %{version} Use nss_version explicitly as version is overiden by nspr_version durring execution of spec Signed-off-by: Frantisek Krenzelok --- nss.spec | 33 ++++++++++++++++++--------------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/nss.spec b/nss.spec index 43653a5..06cb4b4 100644 --- a/nss.spec +++ b/nss.spec @@ -152,7 +152,7 @@ v3 certificates, and other security standards. %package tools Summary: Tools for the Network Security Services -Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: %{name}%{?_isa} = %{nss_version}-%{release} %description tools Network Security Services (NSS) is a set of libraries designed to @@ -169,7 +169,7 @@ Summary: System NSS Initialization # providing nss-system-init without version so that it can # be replaced by a better one, e.g. supplied by the os vendor Provides: nss-system-init -Requires: nss%{?_isa} = %{version}-%{release} +Requires: nss%{?_isa} = %{nss_version}-%{release} Requires(post): coreutils, sed %description sysinit @@ -180,8 +180,8 @@ any system or user configured modules. %package devel Summary: Development libraries for Network Security Services -Provides: nss-static = %{version}-%{release} -Requires: nss%{?_isa} = %{version}-%{release} +Provides: nss-static = %{nss_version}-%{release} +Requires: nss%{?_isa} = %{nss_version}-%{release} Requires: nss-util-devel Requires: nss-softokn-devel Requires: nspr-devel >= %{nspr_version} @@ -194,9 +194,9 @@ Header and Library files for doing development with Network Security Services. %package pkcs11-devel Summary: Development libraries for PKCS #11 (Cryptoki) using NSS -Provides: nss-pkcs11-devel-static = %{version}-%{release} -Requires: nss-devel = %{version}-%{release} -Requires: nss-softokn-freebl-devel = %{version}-%{release} +Provides: nss-pkcs11-devel-static = %{nss_version}-%{release} +Requires: nss-devel = %{nss_version}-%{release} +Requires: nss-softokn-freebl-devel = %{nss_version}-%{release} %description pkcs11-devel Library files for developing PKCS #11 modules using basic NSS @@ -212,7 +212,7 @@ Utilities for Network Security Services and the Softoken module %package util-devel Summary: Development libraries for Network Security Services Utilities -Requires: nss-util%{?_isa} = %{version}-%{release} +Requires: nss-util%{?_isa} = %{nss_version}-%{release} Requires: nspr-devel >= %{nspr_version} Requires: pkgconfig @@ -223,8 +223,8 @@ Header and library files for doing development with Network Security Services. %package softokn Summary: Network Security Services Softoken Module Requires: nspr >= %{nspr_version} -Requires: nss-util >= %{version}-%{release} -Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} +Requires: nss-util >= %{nss_version}-%{release} +Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{release} %description softokn Network Security Services Softoken Cryptographic Module @@ -245,8 +245,8 @@ Install the nss-softokn-freebl package if you need the freebl library. %package softokn-freebl-devel Summary: Header and Library files for doing development with the Freebl library for NSS -Provides: nss-softokn-freebl-static = %{version}-%{release} -Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} +Provides: nss-softokn-freebl-static = %{nss_version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{release} %description softokn-freebl-devel NSS Softoken Cryptographic Module Freebl Library Development Tools @@ -257,10 +257,10 @@ Developers should rely only on the officially supported NSS public API. %package softokn-devel Summary: Development libraries for Network Security Services -Requires: nss-softokn%{?_isa} = %{version}-%{release} -Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nss-softokn%{?_isa} = %{nss_version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{release} Requires: nspr-devel >= %{nspr_version} -Requires: nss-util-devel >= %{version}-%{release} +Requires: nss-util-devel >= %{nss_version}-%{release} Requires: pkgconfig %description softokn-devel @@ -1096,6 +1096,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri May 5 2023 Frantisek Krenzelok - 3.89.0-1 +- replace %{version} with %{nss_version} as it version can be overiden. + * Fri Mar 10 2023 Frantisek Krenzelok - 3.89.0-1 - Update NSS to 3.89.0 From 7f35208eca13cadc1a12b9718bcd89301b0f59b3 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 5 May 2023 18:14:19 +0200 Subject: [PATCH 11/28] Combine nss and nspr source togeather Mozilla provides a package that has both utilities Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss.spec | 12 ++++++------ sources | 3 +-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index 36c04a5..d85a5a4 100644 --- a/.gitignore +++ b/.gitignore @@ -79,3 +79,4 @@ TestUser51.cert /nss-3.87.tar.gz /nss-3.88.1.tar.gz /nss-3.89.tar.gz +/nss-3.89-with-nspr-4.35.tar.gz diff --git a/nss.spec b/nss.spec index 06cb4b4..0c237ee 100644 --- a/nss.spec +++ b/nss.spec @@ -57,6 +57,8 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", string.gsub(rpm.expand("%nss_archive_version"), "%.", "_"))) } +%global nss_nspr_archive nss-%{nss_archive_version}-with-nspr-%{nspr_archive_version} + Summary: Network Security Services Name: nss Version: %{nss_version} @@ -82,7 +84,7 @@ BuildRequires: psmisc BuildRequires: perl-interpreter BuildRequires: gcc-c++ -Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz +Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{nss_nspr_archive}.tar.gz Source1: nss-util.pc.in Source2: nss-util-config.in Source3: nss-softokn.pc.in @@ -112,7 +114,6 @@ Source27: secmod.db.xml %endif Source28: nss-p11-kit.config -Source100: nspr-%{nspr_archive_version}.tar.gz Source101: nspr-config.xml # This patch uses the GCC -iquote option documented at @@ -293,12 +294,8 @@ Conflicts: filesystem < 3 %description -n nspr-devel Header files for doing development with the Netscape Portable Runtime. - %prep -%setup -q -T -b 100 -n nspr-%{nspr_archive_version} - %setup -q -T -b 0 -n %{name}-%{nss_archive_version} -mv ../nspr-%{nspr_archive_version}/nspr . cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in %patch100 -p0 -b .flags @@ -1096,6 +1093,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri May 5 2023 Frantisek Krenzelok - 3.89.0-1 +- combine nss and nspr source togeather + * Fri May 5 2023 Frantisek Krenzelok - 3.89.0-1 - replace %{version} with %{nss_version} as it version can be overiden. diff --git a/sources b/sources index 1e9ca85..90039d1 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f -SHA512 (nss-3.89.tar.gz) = 1db06d4575f2c16d2a0629007981211e714f99c014c0a6256dd33d0caf8c809ba8d5be204d018f9d1cc99b9fcd055ac1fb99b399486ed43c9cf3f55f2747de82 +SHA512 (nss-3.89-with-nspr-4.35.tar.gz) = 3c7fc3062baf577473001f6a2724bae14c809d725c4ae8d90a6de1ef84c6d1c2276efe09f4112241d7b3c32b0c6d529eb87739ca02b8002e3bed3081f06cdff4 From 410a644f5b55862123f59d15bc32a57da81ca2f8 Mon Sep 17 00:00:00 2001 From: Peter Leitmann Date: Sun, 16 Apr 2023 20:26:43 +0200 Subject: [PATCH 12/28] Add TMT interoperability tests --- .fmf/version | 1 + ci.fmf | 1 + plans/gnutls-2way.fmf | 10 ++ plans/openssl-2way.fmf | 10 ++ plans/openssl-reneg.fmf | 10 ++ plans/short-interop-tests.fmf | 10 ++ .../Makefile | 64 --------- .../PURPOSE | 4 - .../runtest.sh | 125 ------------------ tests/tests.yml | 12 -- 10 files changed, 42 insertions(+), 205 deletions(-) create mode 100644 .fmf/version create mode 100644 ci.fmf create mode 100644 plans/gnutls-2way.fmf create mode 100644 plans/openssl-2way.fmf create mode 100644 plans/openssl-reneg.fmf create mode 100644 plans/short-interop-tests.fmf delete mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile delete mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE delete mode 100755 tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh delete mode 100644 tests/tests.yml diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/plans/gnutls-2way.fmf b/plans/gnutls-2way.fmf new file mode 100644 index 0000000..69b116b --- /dev/null +++ b/plans/gnutls-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-gnutls-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-nss & tag: interop-gnutls & tag: interop-2way' +execute: + how: tmt diff --git a/plans/openssl-2way.fmf b/plans/openssl-2way.fmf new file mode 100644 index 0000000..ddebbfb --- /dev/null +++ b/plans/openssl-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-openssl-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-2way' +execute: + how: tmt diff --git a/plans/openssl-reneg.fmf b/plans/openssl-reneg.fmf new file mode 100644 index 0000000..b66cb6a --- /dev/null +++ b/plans/openssl-reneg.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-nss-openssl renegotiation test +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-openssl-reneg + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-nss & tag: interop-openssl & tag: interop-reneg' +execute: + how: tmt diff --git a/plans/short-interop-tests.fmf b/plans/short-interop-tests.fmf new file mode 100644 index 0000000..67fb89c --- /dev/null +++ b/plans/short-interop-tests.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop tests - short tests which do not need to run in parallel +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-other+nss-fast + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-nss & tag: -interop-slow' +execute: + how: tmt diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile deleted file mode 100644 index ea65d87..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when -# Description: NSS tools should not use SHA1 by default when -# Author: Hubert Kario -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2016 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Hubert Kario " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA) - @echo "Type: Regression" >> $(METADATA) - @echo "TestTime: 10m" >> $(METADATA) - @echo "RunFor: nss openssl" >> $(METADATA) - @echo "Requires: nss nss-tools openssl" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE deleted file mode 100644 index 7caf493..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE +++ /dev/null @@ -1,4 +0,0 @@ -PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when -Description: NSS tools should not use SHA1 by default when -Author: Hubert Kario -Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh deleted file mode 100755 index 8290d92..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh +++ /dev/null @@ -1,125 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when -# Description: NSS tools should not use SHA1 by default when -# Author: Hubert Kario -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2016 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="nss" -PACKAGES="nss openssl" -DBDIR="nssdb" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm --all - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "mkdir nssdb" - rlRun "certutil -N -d $DBDIR --empty-password" - rlLogInfo "Create a JAR file" - rlRun "mkdir java-dir" - rlRun "pushd java-dir" - rlRun "mkdir META-INF mypackage" - rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF" - rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class" - #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class" - rlRun "popd" - #rlRun "mv java-dir/package.jar ." - rlPhaseEnd - - rlPhaseStartTest "Self signing certificates" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise" - rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Signing certificates" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime" - rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Certificate request" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "mkdir srv2db" - rlRun "certutil -d srv2db -N --empty-password" - rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise" - rlRun -s "openssl req -noout -text -in srv2.req" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" - rlRun -s "openssl x509 -in srv2.crt -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "rm -rf srv2db" - rlPhaseEnd - - rlPhaseStartTest "Certificate request with SHA1" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "mkdir srv2db" - rlRun "certutil -d srv2db -N --empty-password" - rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1" - rlRun -s "openssl req -noout -text -in srv2.req" - rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG" - rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" - rlRun -s "openssl x509 -in srv2.crt -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "rm -rf srv2db" - rlPhaseEnd - - rlPhaseStartTest "Signing CMS messages" - rlRun "echo 'This is a document' > document.txt" - rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms" - rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print" - rlAssertGrep "algorithm: sha256" $rlRun_LOG - rlAssertNotGrep "algorithm: sha1" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "CRL signing" - rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script" - rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script" - rlRun "echo addext crlNumber 0 1245 >>script" - rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script" - rlRun "echo addext reasonCode 0 0 >>script" - rlRun "cat script" - rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl" - rlRun -s "openssl crl -in ca.crl -inform der -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index df64aa2..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# This first play always runs on the local staging system -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - tests: - - NSS-tools-should-not-use-SHA1-by-default-when - required_packages: - - nss-tools - - nss From c285f42bbe9325c1e2201c6fd3d955edf59cad06 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Mon, 5 Jun 2023 11:01:36 +0200 Subject: [PATCH 13/28] Update NSS to 3.90.0 Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss-signtool-format.patch | 4 ++-- nss.spec | 14 ++++++-------- sources | 2 +- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.gitignore b/.gitignore index d85a5a4..9550e81 100644 --- a/.gitignore +++ b/.gitignore @@ -80,3 +80,4 @@ TestUser51.cert /nss-3.88.1.tar.gz /nss-3.89.tar.gz /nss-3.89-with-nspr-4.35.tar.gz +/nss-3.90-with-nspr-4.35.tar.gz diff --git a/nss-signtool-format.patch b/nss-signtool-format.patch index 5f146f1..f81d35c 100644 --- a/nss-signtool-format.patch +++ b/nss-signtool-format.patch @@ -10,7 +10,7 @@ diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c /* Recursively delete all entries in the directory */ while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { -- sprintf(filename, "%s/%s", path, entry->name); +- snprintf(filename, sizeof(filename), "%s/%s", path, entry->name); + if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) { + PR_CloseDir(dir); + return -1; @@ -29,7 +29,7 @@ diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c @@ -138,6 +138,12 @@ rm_dash_r(char *path) /* Recursively delete all entries in the directory */ while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) { - sprintf(filename, "%s/%s", path, entry->name); + snprintf(filename, sizeof(filename), "%s/%s", path, entry->name); + if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name +) >= sizeof(filename)) { + errorCount++; diff --git a/nss.spec b/nss.spec index 0c237ee..31bcc99 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.35.0 -%global nss_version 3.89.0 +%global nss_version 3.90.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 1 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+4] +%global nspr_release %[%baserelease+0] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -135,11 +135,6 @@ Patch40: nss-no-dbm-man-page.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 Patch51: nss-3.79-dbtool.patch -# Fix build with recent GCC 13 -# https://bugzilla.mozilla.org/show_bug.cgi?id=1826650 -# https://bugzilla.mozilla.org/attachment.cgi?id=9327255 -Patch52: nss-3.89-dangling.patch - Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1093,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 +- Update NSS to 3.90.0 + * Fri May 5 2023 Frantisek Krenzelok - 3.89.0-1 - combine nss and nspr source togeather diff --git a/sources b/sources index 90039d1..126d634 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.89-with-nspr-4.35.tar.gz) = 3c7fc3062baf577473001f6a2724bae14c809d725c4ae8d90a6de1ef84c6d1c2276efe09f4112241d7b3c32b0c6d529eb87739ca02b8002e3bed3081f06cdff4 +SHA512 (nss-3.90-with-nspr-4.35.tar.gz) = cbc75af3d3e1bf084011d435f0957d134cb3d3d66dcee45f9712ed22b470035ba1e808fc6457e8dc0d8d8e168d77d1117a4373d42905130f76ea58217ff88e30 From 493bb4aa7bb50562646e9fd1d7925075b42f3988 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Mon, 5 Jun 2023 13:46:43 +0200 Subject: [PATCH 14/28] Update %patch syntax The syntax was changed from `%patch` to `%patch ` Signed-off-by: Frantisek Krenzelok --- nss.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index 31bcc99..f452485 100644 --- a/nss.spec +++ b/nss.spec @@ -293,9 +293,9 @@ Header files for doing development with the Netscape Portable Runtime. %setup -q -T -b 0 -n %{name}-%{nss_archive_version} cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in -%patch100 -p0 -b .flags +%patch 100 -p0 -b .flags pushd nspr -%patch101 -p1 -b .gcc-atomics +%patch 101 -p1 -b .gcc-atomics popd pushd nss @@ -1088,6 +1088,10 @@ update-crypto-policies &> /dev/null || : %changelog + +* Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 +- Update %patch syntax + * Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 - Update NSS to 3.90.0 From 2bdda3a809789e364c829a75a9d4fa3cdcd4aa54 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Tue, 6 Jun 2023 08:48:06 +0200 Subject: [PATCH 15/28] Fix: add condition for architecture specific assebly feature Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 Additional bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 Signed-off-by: Frantisek Krenzelok --- nss-3.90-DisablingASM.patch | 36 ++++++++++++++++++++++++++++++++++++ nss.spec | 7 +++++++ 2 files changed, 43 insertions(+) create mode 100644 nss-3.90-DisablingASM.patch diff --git a/nss-3.90-DisablingASM.patch b/nss-3.90-DisablingASM.patch new file mode 100644 index 0000000..3574a47 --- /dev/null +++ b/nss-3.90-DisablingASM.patch @@ -0,0 +1,36 @@ +diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile +--- a/lib/freebl/Makefile ++++ b/lib/freebl/Makefile +@@ -560,6 +560,9 @@ else + endif # Solaris for non-sparc family CPUs + endif # target == SunO + ++# As the result of the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 ++# we currently totally removing the support of Vale implementation of Curve25519 ++SUPPORTS_VALE_CURVE25519 = 0 + ifdef USE_64 + # no __int128 at least up to lcc 1.23 (pretending to be gcc5) + # NB: CC_NAME is not defined here +@@ -568,7 +571,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null /dev/null || : %changelog +* Thu Jun 6 2023 Frantisek Krenzelok - 3.90.0-1 +- Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 & + https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 * Mon Jun 5 2023 Frantisek Krenzelok - 3.90.0-1 - Update %patch syntax From 746cb03e25ca29789b193451f6eab599702df31b Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Tue, 6 Jun 2023 12:49:30 +0200 Subject: [PATCH 16/28] Hotfix: previous commit 2bdda3a Signed-off-by: Frantisek Krenzelok --- nss-3.90-DisablingASM.patch | 45 +++++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/nss-3.90-DisablingASM.patch b/nss-3.90-DisablingASM.patch index 3574a47..7d1a17f 100644 --- a/nss-3.90-DisablingASM.patch +++ b/nss-3.90-DisablingASM.patch @@ -1,17 +1,8 @@ diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile +index 74e8e65..8995752 100644 --- a/lib/freebl/Makefile +++ b/lib/freebl/Makefile -@@ -560,6 +560,9 @@ else - endif # Solaris for non-sparc family CPUs - endif # target == SunO - -+# As the result of the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 -+# we currently totally removing the support of Vale implementation of Curve25519 -+SUPPORTS_VALE_CURVE25519 = 0 - ifdef USE_64 - # no __int128 at least up to lcc 1.23 (pretending to be gcc5) - # NB: CC_NAME is not defined here -@@ -568,7 +571,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null &1 >/dev/null Date: Tue, 6 Jun 2023 21:13:13 +0200 Subject: [PATCH 17/28] Fix changelog date --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index b98753f..f3555b4 100644 --- a/nss.spec +++ b/nss.spec @@ -1092,7 +1092,7 @@ update-crypto-policies &> /dev/null || : %changelog -* Thu Jun 6 2023 Frantisek Krenzelok - 3.90.0-1 +* Tue Jun 6 2023 Frantisek Krenzelok - 3.90.0-1 - Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 & https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 From 5ddb492599840f9bccee1d0e7be0b140b3829090 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Fri, 9 Jun 2023 15:01:25 +0200 Subject: [PATCH 18/28] Resolves: rhbz#2213765 by fixing the nspr_release number --- nss.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index f3555b4..0f876b7 100644 --- a/nss.spec +++ b/nss.spec @@ -3,11 +3,11 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+0] +%global nspr_release %[%baserelease+6] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 From 9420b56ac3676f35a62be1008af9ef6358ec2f0f Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Tue, 13 Jun 2023 12:37:56 +0200 Subject: [PATCH 19/28] Explicitly specify the doc files for nspr-devel nspr-devel now contains only the nspr relevant docs instead of all the docs. Signed-off-by: Frantisek Krenzelok --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 0f876b7..f41373e 100644 --- a/nss.spec +++ b/nss.spec @@ -1088,7 +1088,7 @@ update-crypto-policies &> /dev/null || : %{_includedir}/nspr4 %{_libdir}/pkgconfig/nspr.pc %{_bindir}/nspr-config -%{_mandir}/man*/* +%doc %{_mandir}/man1/nspr-config.* %changelog From 3ba95b4e6d7b53f78ed4266dea5acda09a38820e Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Tue, 4 Jul 2023 15:41:56 +0200 Subject: [PATCH 20/28] Update NSS to 3.91.0 Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss-3.90-DisablingASM.patch | 57 ------------------------------------- nss.spec | 13 ++++----- sources | 2 +- 4 files changed, 8 insertions(+), 65 deletions(-) delete mode 100644 nss-3.90-DisablingASM.patch diff --git a/.gitignore b/.gitignore index 9550e81..2577afd 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,4 @@ TestUser51.cert /nss-3.89.tar.gz /nss-3.89-with-nspr-4.35.tar.gz /nss-3.90-with-nspr-4.35.tar.gz +/nss-3.91-with-nspr-4.35.tar.gz diff --git a/nss-3.90-DisablingASM.patch b/nss-3.90-DisablingASM.patch deleted file mode 100644 index 7d1a17f..0000000 --- a/nss-3.90-DisablingASM.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile -index 74e8e65..8995752 100644 ---- a/lib/freebl/Makefile -+++ b/lib/freebl/Makefile -@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null /dev/null || : %changelog +* Tue Jul 4 2023 Frantisek Krenzelok - 3.91.0-1 +- Update NSS to 3.91.0 + * Tue Jun 6 2023 Frantisek Krenzelok - 3.90.0-1 - Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 & https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 diff --git a/sources b/sources index 126d634..e6a5c5c 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.90-with-nspr-4.35.tar.gz) = cbc75af3d3e1bf084011d435f0957d134cb3d3d66dcee45f9712ed22b470035ba1e808fc6457e8dc0d8d8e168d77d1117a4373d42905130f76ea58217ff88e30 +SHA512 (nss-3.91-with-nspr-4.35.tar.gz) = e408dacfa51522b254cc28abc9a2188a05a9d34367e2c770d2bfea0727c7e0073e335a0cdf86f990ab246c331d2c85e1f787c66a1f9aa2fbb0163e6021fb7a37 From d99edd11582e78b3856adf1e0f9dff58a92557e1 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Thu, 20 Jul 2023 16:55:07 +0000 Subject: [PATCH 21/28] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- nss.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index a7042b8..7213e48 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -1088,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jul 20 2023 Fedora Release Engineering - 3.91.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Tue Jul 4 2023 Frantisek Krenzelok - 3.91.0-1 - Update NSS to 3.91.0 From 2e20259fc5be82eb913f33f1cecf8f6c33568979 Mon Sep 17 00:00:00 2001 From: Frantisek Krenzelok Date: Tue, 1 Aug 2023 17:05:32 +0200 Subject: [PATCH 22/28] Update NSS to 3.92.0 Signed-off-by: Frantisek Krenzelok --- .gitignore | 1 + nss.spec | 9 ++++++--- sources | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 2577afd..5db6588 100644 --- a/.gitignore +++ b/.gitignore @@ -82,3 +82,4 @@ TestUser51.cert /nss-3.89-with-nspr-4.35.tar.gz /nss-3.90-with-nspr-4.35.tar.gz /nss-3.91-with-nspr-4.35.tar.gz +/nss-3.92-with-nspr-4.35.tar.gz diff --git a/nss.spec b/nss.spec index 7213e48..3f1fa76 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.35.0 -%global nss_version 3.91.0 +%global nss_version 3.92.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 1 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+8] +%global nspr_release %[%baserelease+10] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -1088,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Aug 1 2023 Frantisek Krenzelok - 3.92.0-1 +- Update NSS to 3.92.0 + * Thu Jul 20 2023 Fedora Release Engineering - 3.91.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild diff --git a/sources b/sources index e6a5c5c..a90f69d 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.91-with-nspr-4.35.tar.gz) = e408dacfa51522b254cc28abc9a2188a05a9d34367e2c770d2bfea0727c7e0073e335a0cdf86f990ab246c331d2c85e1f787c66a1f9aa2fbb0163e6021fb7a37 +SHA512 (nss-3.92-with-nspr-4.35.tar.gz) = 72810b62cea08c40200ea499a478e05483fa2b336f516c15776beb1ad7f8e8a7b69da8ffb7688f2b50a4725c1973d1c34e53a94e55657d2c4496b593af8959b1 From d11658ac7e072dc4e1d04b333541c8b81cbe8622 Mon Sep 17 00:00:00 2001 From: Krenzelok Frantisek Date: Thu, 31 Aug 2023 04:36:41 +0200 Subject: [PATCH 23/28] Update NSS to 3.93.0 --- .gitignore | 1 + nss.spec | 7 +++++-- sources | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index 5db6588..5cfabf8 100644 --- a/.gitignore +++ b/.gitignore @@ -83,3 +83,4 @@ TestUser51.cert /nss-3.90-with-nspr-4.35.tar.gz /nss-3.91-with-nspr-4.35.tar.gz /nss-3.92-with-nspr-4.35.tar.gz +/nss-3.93-with-nspr-4.35.tar.gz diff --git a/nss.spec b/nss.spec index 3f1fa76..ad8f24f 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.35.0 -%global nss_version 3.92.0 +%global nss_version 3.93.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+10] +%global nspr_release %[%baserelease+11] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -1088,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Aug 31 2023 Frantisek Krenzelok - 3.93.0-1 +- Update NSS to 3.93.0 + * Tue Aug 1 2023 Frantisek Krenzelok - 3.92.0-1 - Update NSS to 3.92.0 diff --git a/sources b/sources index a90f69d..d342e47 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.92-with-nspr-4.35.tar.gz) = 72810b62cea08c40200ea499a478e05483fa2b336f516c15776beb1ad7f8e8a7b69da8ffb7688f2b50a4725c1973d1c34e53a94e55657d2c4496b593af8959b1 +SHA512 (nss-3.93-with-nspr-4.35.tar.gz) = efe85e09021ca363df35d092b32463b359b2a23fc6e761949e944ba4209b09bdf007fc69015086a278c999411d62b9dba6fbedfb8a7c962ed40e406de45bc28e From a5c303c526a435b70c0c7a4cfee0554977700c8d Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Mon, 11 Sep 2023 09:48:48 -0700 Subject: [PATCH 24/28] Update License field to SPDX. --- nss.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nss.spec b/nss.spec index ad8f24f..d474e8b 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -63,7 +63,7 @@ Summary: Network Security Services Name: nss Version: %{nss_version} Release: %{nss_release}%{?dist} -License: MPLv2.0 +License: MPL-2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} Requires: nss-util >= %{nss_version} @@ -266,7 +266,7 @@ Header and library files for doing development with Network Security Services. Summary: Netscape Portable Runtime Version: %{nspr_version} Release: %{nspr_release}%{?dist} -License: MPLv2.0 +License: MPL-2.0 URL: http://www.mozilla.org/projects/nspr/ Conflicts: filesystem < 3 BuildRequires: gcc @@ -1088,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Sep 07 2023 Bob Relyea - 3.93.0-2 +- Update License field to SPDX. + * Thu Aug 31 2023 Frantisek Krenzelok - 3.93.0-1 - Update NSS to 3.93.0 From 78c186d68be89e5116577925acf1d51920dbae14 Mon Sep 17 00:00:00 2001 From: Krenzelok Frantisek Date: Wed, 4 Oct 2023 08:07:50 +0200 Subject: [PATCH 25/28] Update NSS to 3.94.0 --- .gitignore | 1 + nss.spec | 12 ++++++------ sources | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.gitignore b/.gitignore index 5cfabf8..61e1690 100644 --- a/.gitignore +++ b/.gitignore @@ -84,3 +84,4 @@ TestUser51.cert /nss-3.91-with-nspr-4.35.tar.gz /nss-3.92-with-nspr-4.35.tar.gz /nss-3.93-with-nspr-4.35.tar.gz +/nss-3.94-with-nspr-4.35.tar.gz diff --git a/nss.spec b/nss.spec index d474e8b..9bbcd89 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.35.0 -%global nss_version 3.93.0 +%global nss_version 3.94.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 1 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+11] +%global nspr_release %[%baserelease+13] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -132,9 +132,6 @@ Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1774659 -Patch51: nss-3.79-dbtool.patch - Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1088,6 +1085,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Oct 4 2023 Frantisek Krenzelok - 3.94.0-1 +- Update NSS to 3.94.0 + * Thu Sep 07 2023 Bob Relyea - 3.93.0-2 - Update License field to SPDX. diff --git a/sources b/sources index d342e47..fa784d4 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.93-with-nspr-4.35.tar.gz) = efe85e09021ca363df35d092b32463b359b2a23fc6e761949e944ba4209b09bdf007fc69015086a278c999411d62b9dba6fbedfb8a7c962ed40e406de45bc28e +SHA512 (nss-3.94-with-nspr-4.35.tar.gz) = 121180c80c635b0e3e9fa5d44297107d4c5da84879210e81da0f799a48e9ed1ea43e5c28d5cb53fd65218678b94b5db282b7ed0ee96482caa01493c39ed93c27 From 5b2f53fc24817dd6af294329bbcd10f55692c25f Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Wed, 25 Oct 2023 14:57:37 -0700 Subject: [PATCH 26/28] Fix binary compatibilty issue in ECC by reverting the HACL patch. --- nss-3.94-HACL-p256.patch | 4306 ++++++++++++++++++++++++++++++++++++++ nss.spec | 8 +- 2 files changed, 4313 insertions(+), 1 deletion(-) create mode 100644 nss-3.94-HACL-p256.patch diff --git a/nss-3.94-HACL-p256.patch b/nss-3.94-HACL-p256.patch new file mode 100644 index 0000000..a7286a1 --- /dev/null +++ b/nss-3.94-HACL-p256.patch @@ -0,0 +1,4306 @@ + +# HG changeset patch +# User Karthikeyan Bhargavan +# Date 1694025109 0 +# Node ID 88262a8e60126b5168d0b96306ed5fd2de4867bb +# Parent ffb50bee6680491dddbdc9a3fa723c86332f15f9 +Bug 1615555 - P-256 ECDH and ECDSA from HACL*. r=jschanck + +Differential Revision: https://phabricator.services.mozilla.com/D185341 + +diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile +--- a/lib/freebl/Makefile ++++ b/lib/freebl/Makefile +@@ -602,17 +602,17 @@ ifndef NSS_DISABLE_CHACHAPOLY + EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c + DEFINES += -DHACL_CAN_COMPILE_VEC128 + endif + endif # x86_64 + + VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c + endif # NSS_DISABLE_CHACHAPOLY + +-VERIFIED_SRCS += Hacl_Hash_SHA3.c ++VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c + + ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH))) + # All 64-bit architectures get the 64 bit version. + ECL_SRCS += curve25519_64.c + VERIFIED_SRCS += Hacl_Curve25519_51.c + else + # All other architectures get the generic 32 bit implementation + ECL_SRCS += curve25519_32.c +diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h +--- a/lib/freebl/blapi.h ++++ b/lib/freebl/blapi.h +@@ -1886,11 +1886,16 @@ extern SECStatus EC_DecodeParams(const S + extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, + const ECParams *srcParams); + + /* + * use the internal table to get the size in bytes of a single EC point + */ + extern int EC_GetPointSize(const ECParams *params); + ++/* ++ * use the internal table to get the size in bytes of a single EC coordinate ++ */ ++extern int EC_GetScalarSize(const ECParams *params); ++ + SEC_END_PROTOS + + #endif /* _BLAPI_H_ */ +diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c +--- a/lib/freebl/ec.c ++++ b/lib/freebl/ec.c +@@ -16,17 +16,25 @@ + #include "ec.h" + #include "ecl.h" + + #define EC_DOUBLECHECK PR_FALSE + + static const ECMethod kMethods[] = { + { ECCurve25519, + ec_Curve25519_pt_mul, +- ec_Curve25519_pt_validate } ++ ec_Curve25519_pt_validate, ++ NULL, NULL }, ++ { ++ ECCurve_NIST_P256, ++ ec_secp256r1_pt_mul, ++ ec_secp256r1_pt_validate, ++ ec_secp256r1_sign_digest, ++ ec_secp256r1_verify_digest, ++ } + }; + + static const ECMethod * + ec_get_method_from_name(ECCurveName name) + { + unsigned long i; + for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); ++i) { + if (kMethods[i].name == name) { +@@ -282,17 +290,21 @@ ec_NewKey(ECParams *ecParams, ECPrivateK + if (ecParams->fieldID.type == ec_field_plain) { + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->mul == NULL) { + /* unknown curve */ + rv = SECFailure; + goto cleanup; + } + rv = method->mul(&key->publicValue, &key->privateValue, NULL); +- goto done; ++ if (rv != SECSuccess) { ++ goto cleanup; ++ } else { ++ goto done; ++ } + } + + CHECK_MPI_OK(mp_init(&k)); + CHECK_MPI_OK(mp_read_unsigned_octets(&k, key->privateValue.data, + (mp_size)len)); + + rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue)); + if (rv != SECSuccess) { +@@ -367,16 +379,17 @@ ec_GenerateRandomPrivateKey(const unsign + CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len)); + CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len)); + CHECK_MPI_OK(mp_set_int(&one, 1)); + CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1)); + CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal)); + CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal)); + CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len)); + memset(privKeyBytes + len, 0, len); ++ + cleanup: + mp_clear(&privKeyVal); + mp_clear(&order_1); + mp_clear(&one); + if (err < MP_OKAY) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } +@@ -435,28 +448,34 @@ EC_ValidatePublicKey(ECParams *ecParams, + ECGroup *group = NULL; + SECStatus rv = SECFailure; + mp_err err = MP_OKAY; + unsigned int len; + + if (!ecParams || ecParams->name == ECCurve_noName || + !publicValue || !publicValue->len) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +- return SECFailure; ++ rv = SECFailure; ++ return rv; + } + + /* Uses curve specific code for point validation. */ + if (ecParams->fieldID.type == ec_field_plain) { + const ECMethod *method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->validate == NULL) { + /* unknown curve */ + PORT_SetError(SEC_ERROR_INVALID_ARGS); +- return SECFailure; ++ rv = SECFailure; ++ return rv; + } +- return method->validate(publicValue); ++ rv = method->validate(publicValue); ++ if (rv != SECSuccess) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ } ++ return rv; + } + + /* NOTE: We only support uncompressed points for now */ + len = (((unsigned int)ecParams->fieldID.size) + 7) >> 3; + if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); + return SECFailure; + } else if (publicValue->len != (2 * len + 1)) { +@@ -505,16 +524,17 @@ EC_ValidatePublicKey(ECParams *ecParams, + } + + rv = SECSuccess; + + cleanup: + ECGroup_free(group); + mp_clear(&Px); + mp_clear(&Py); ++ + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } + return rv; + } + + /* +@@ -531,61 +551,66 @@ SECStatus + ECDH_Derive(SECItem *publicValue, + ECParams *ecParams, + SECItem *privateValue, + PRBool withCofactor, + SECItem *derivedSecret) + { + SECStatus rv = SECFailure; + unsigned int len = 0; +- SECItem pointQ = { siBuffer, NULL, 0 }; +- mp_int k; /* to hold the private value */ + mp_err err = MP_OKAY; +-#if EC_DEBUG +- int i; +-#endif + + if (!publicValue || !publicValue->len || + !ecParams || ecParams->name == ECCurve_noName || + !privateValue || !privateValue->len || !derivedSecret) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +- return SECFailure; ++ rv = SECFailure; ++ return rv; + } + + /* + * Make sure the point is on the requested curve to avoid + * certain small subgroup attacks. + */ + if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { + PORT_SetError(SEC_ERROR_BAD_KEY); +- return SECFailure; ++ rv = SECFailure; ++ return rv; + } + + /* Perform curve specific multiplication using ECMethod */ + if (ecParams->fieldID.type == ec_field_plain) { + const ECMethod *method; + memset(derivedSecret, 0, sizeof(*derivedSecret)); +- derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetPointSize(ecParams)); ++ derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); + if (derivedSecret == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); +- return SECFailure; ++ rv = SECFailure; ++ return rv; + } + method = ec_get_method_from_name(ecParams->name); + if (method == NULL || method->validate == NULL || + method->mul == NULL) { + PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); +- return SECFailure; ++ rv = SECFailure; ++ goto done; + } + rv = method->mul(derivedSecret, privateValue, publicValue); + if (rv != SECSuccess) { +- SECITEM_ZfreeItem(derivedSecret, PR_FALSE); ++ PORT_SetError(SEC_ERROR_BAD_KEY); + } +- return rv; ++ goto done; + } + ++ SECItem pointQ = { siBuffer, NULL, 0 }; ++ mp_int k; /* to hold the private value */ ++#if EC_DEBUG ++ int i; ++#endif ++ + /* + * We fail if the public value is the point at infinity, since + * this produces predictable results. + */ + if (ec_point_at_infinity(publicValue)) { + PORT_SetError(SEC_ERROR_BAD_KEY); + return SECFailure; + } +@@ -633,84 +658,108 @@ ECDH_Derive(SECItem *publicValue, + for (i = 0; i < derivedSecret->len; i++) + printf("%02x:", derivedSecret->data[i]); + printf("\n"); + #endif + + cleanup: + mp_clear(&k); + +- if (err) { +- MP_TO_SEC_ERROR(err); +- } +- + if (pointQ.data) { + PORT_ZFree(pointQ.data, pointQ.len); + } + ++done: ++ ++ if (err) { ++ MP_TO_SEC_ERROR(err); ++ } ++ if (rv != SECSuccess) { ++ SECITEM_ZfreeItem(derivedSecret, PR_FALSE); ++ } + return rv; + } + + /* Computes the ECDSA signature (a concatenation of two values r and s) + * on the digest using the given key and the random value kb (used in + * computing s). + */ + + static SECStatus + ec_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, + const SECItem *digest, const unsigned char *kb, const int kblen) + { + SECStatus rv = SECFailure; ++ ECParams *ecParams = NULL; ++ mp_err err = MP_OKAY; ++ int flen = 0; /* length in bytes of the field size */ ++ unsigned olen; /* length in bytes of the base point order */ ++ ++ /* Check args */ ++ if (!key || !signature || !digest || !kb || (kblen <= 0)) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ goto done; ++ } ++ ++ ecParams = &(key->ecParams); ++ flen = (ecParams->fieldID.size + 7) >> 3; ++ olen = ecParams->order.len; ++ if (signature->data == NULL) { ++ /* a call to get the signature length only */ ++ signature->len = 2 * olen; ++ rv = SECSuccess; ++ goto done; ++ } ++ if (signature->len < 2 * olen) { ++ PORT_SetError(SEC_ERROR_OUTPUT_LEN); ++ rv = SECFailure; ++ goto done; ++ } ++ ++ /* Perform curve specific signature using ECMethod */ ++ if (ecParams->fieldID.type == ec_field_plain) { ++ const ECMethod *method = ec_get_method_from_name(ecParams->name); ++ if (method == NULL || method->sign_digest == NULL) { ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); ++ rv = SECFailure; ++ goto done; ++ } ++ rv = method->sign_digest(key, signature, digest, kb, kblen); ++ if (rv != SECSuccess) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ } ++ goto done; ++ } ++ + mp_int x1; + mp_int d, k; /* private key, random integer */ + mp_int r, s; /* tuple (r, s) is the signature */ + mp_int t; /* holding tmp values */ + mp_int n; + mp_int ar; /* blinding value */ +- mp_err err = MP_OKAY; +- ECParams *ecParams = NULL; + SECItem kGpoint = { siBuffer, NULL, 0 }; +- int flen = 0; /* length in bytes of the field size */ +- unsigned olen; /* length in bytes of the base point order */ ++ unsigned char *t2 = NULL; + unsigned obits; /* length in bits of the base point order */ +- unsigned char *t2 = NULL; + + #if EC_DEBUG + char mpstr[256]; + #endif + + /* Initialize MPI integers. */ + /* must happen before the first potential call to cleanup */ + MP_DIGITS(&x1) = 0; + MP_DIGITS(&d) = 0; + MP_DIGITS(&k) = 0; + MP_DIGITS(&r) = 0; + MP_DIGITS(&s) = 0; + MP_DIGITS(&n) = 0; + MP_DIGITS(&t) = 0; + MP_DIGITS(&ar) = 0; + +- /* Check args */ +- if (!key || !signature || !digest || !kb || (kblen < 0)) { +- PORT_SetError(SEC_ERROR_INVALID_ARGS); +- goto cleanup; +- } +- +- ecParams = &(key->ecParams); +- flen = (ecParams->fieldID.size + 7) >> 3; +- olen = ecParams->order.len; +- if (signature->data == NULL) { +- /* a call to get the signature length only */ +- goto finish; +- } +- if (signature->len < 2 * olen) { +- PORT_SetError(SEC_ERROR_OUTPUT_LEN); +- goto cleanup; +- } +- + CHECK_MPI_OK(mp_init(&x1)); + CHECK_MPI_OK(mp_init(&d)); + CHECK_MPI_OK(mp_init(&k)); + CHECK_MPI_OK(mp_init(&r)); + CHECK_MPI_OK(mp_init(&s)); + CHECK_MPI_OK(mp_init(&n)); + CHECK_MPI_OK(mp_init(&t)); + CHECK_MPI_OK(mp_init(&ar)); +@@ -846,21 +895,21 @@ ec_SignDigestWithSeed(ECPrivateKey *key, + } + + /* + ** + ** Signature is tuple (r, s) + */ + CHECK_MPI_OK(mp_to_fixlen_octets(&r, signature->data, olen)); + CHECK_MPI_OK(mp_to_fixlen_octets(&s, signature->data + olen, olen)); +-finish: ++ + signature->len = 2 * olen; +- + rv = SECSuccess; + err = MP_OKAY; ++ + cleanup: + mp_clear(&x1); + mp_clear(&d); + mp_clear(&k); + mp_clear(&r); + mp_clear(&s); + mp_clear(&n); + mp_clear(&t); +@@ -869,16 +918,17 @@ cleanup: + if (t2) { + PORT_ZFree(t2, 2 * ecParams->order.len); + } + + if (kGpoint.data) { + PORT_ZFree(kGpoint.data, kGpoint.len); + } + ++done: + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } + + #if EC_DEBUG + printf("ECDSA signing with seed %s\n", + (rv == SECSuccess) ? "succeeded" : "failed"); +@@ -887,22 +937,22 @@ cleanup: + return rv; + } + + SECStatus + ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, + const SECItem *digest, const unsigned char *kb, const int kblen) + { + #if EC_DEBUG || EC_DOUBLECHECK +- + SECItem *signature2 = SECITEM_AllocItem(NULL, NULL, signature->len); + SECStatus signSuccess = ec_SignDigestWithSeed(key, signature, digest, kb, kblen); + SECStatus signSuccessDouble = ec_SignDigestWithSeed(key, signature2, digest, kb, kblen); +- int signaturesEqual = NSS_SecureMemcmp(signature, signature2, signature->len); ++ int signaturesEqual = NSS_SecureMemcmp(signature->data, signature2->data, signature->len); + SECStatus rv; ++ + if ((signaturesEqual == 0) && (signSuccess == SECSuccess) && (signSuccessDouble == SECSuccess)) { + rv = SECSuccess; + } else { + rv = SECFailure; + } + + #if EC_DEBUG + printf("ECDSA signing with seed %s after signing twice\n", (rv == SECSuccess) ? "succeeded" : "failed"); +@@ -961,60 +1011,78 @@ cleanup: + ** of this function is undefined. In cases where a public key might + ** not be valid, use EC_ValidatePublicKey to check. + */ + SECStatus + ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, + const SECItem *digest) + { + SECStatus rv = SECFailure; ++ ECParams *ecParams = NULL; ++ mp_err err = MP_OKAY; ++ ++ /* Check args */ ++ if (!key || !signature || !digest) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ goto done; ++ } ++ ++ ecParams = &(key->ecParams); ++ ++ /* Perform curve specific signature verification using ECMethod */ ++ if (ecParams->fieldID.type == ec_field_plain) { ++ const ECMethod *method = ec_get_method_from_name(ecParams->name); ++ if (method == NULL || method->verify_digest == NULL) { ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); ++ rv = SECFailure; ++ goto done; ++ } ++ rv = method->verify_digest(key, signature, digest); ++ if (rv != SECSuccess) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ } ++ goto done; ++ } ++ + mp_int r_, s_; /* tuple (r', s') is received signature) */ + mp_int c, u1, u2, v; /* intermediate values used in verification */ + mp_int x1; + mp_int n; +- mp_err err = MP_OKAY; +- ECParams *ecParams = NULL; + SECItem pointC = { siBuffer, NULL, 0 }; + int slen; /* length in bytes of a half signature (r or s) */ + int flen; /* length in bytes of the field size */ + unsigned olen; /* length in bytes of the base point order */ + unsigned obits; /* length in bits of the base point order */ + + #if EC_DEBUG + char mpstr[256]; + printf("ECDSA verification called\n"); + #endif + ++ flen = (ecParams->fieldID.size + 7) >> 3; ++ olen = ecParams->order.len; ++ if (signature->len == 0 || signature->len % 2 != 0 || ++ signature->len > 2 * olen) { ++ PORT_SetError(SEC_ERROR_INPUT_LEN); ++ goto cleanup; ++ } ++ slen = signature->len / 2; ++ + /* Initialize MPI integers. */ + /* must happen before the first potential call to cleanup */ + MP_DIGITS(&r_) = 0; + MP_DIGITS(&s_) = 0; + MP_DIGITS(&c) = 0; + MP_DIGITS(&u1) = 0; + MP_DIGITS(&u2) = 0; + MP_DIGITS(&x1) = 0; + MP_DIGITS(&v) = 0; + MP_DIGITS(&n) = 0; + +- /* Check args */ +- if (!key || !signature || !digest) { +- PORT_SetError(SEC_ERROR_INVALID_ARGS); +- goto cleanup; +- } +- +- ecParams = &(key->ecParams); +- flen = (ecParams->fieldID.size + 7) >> 3; +- olen = ecParams->order.len; +- if (signature->len == 0 || signature->len % 2 != 0 || +- signature->len > 2 * olen) { +- PORT_SetError(SEC_ERROR_INPUT_LEN); +- goto cleanup; +- } +- slen = signature->len / 2; +- + /* + * The incoming point has been verified in sftk_handlePublicKeyObject. + */ + + SECITEM_AllocItem(NULL, &pointC, EC_GetPointSize(ecParams)); + if (pointC.data == NULL) { + goto cleanup; + } +@@ -1151,16 +1219,18 @@ cleanup: + mp_clear(&u1); + mp_clear(&u2); + mp_clear(&x1); + mp_clear(&v); + mp_clear(&n); + + if (pointC.data) + SECITEM_ZfreeItem(&pointC, PR_FALSE); ++ ++done: + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } + + #if EC_DEBUG + printf("ECDSA verification %s\n", + (rv == SECSuccess) ? "succeeded" : "failed"); +diff --git a/lib/freebl/ec.h b/lib/freebl/ec.h +--- a/lib/freebl/ec.h ++++ b/lib/freebl/ec.h +@@ -10,12 +10,14 @@ + #define ANSI_X962_CURVE_OID_TOTAL_LEN 10 + #define SECG_CURVE_OID_TOTAL_LEN 7 + #define PKIX_NEWCURVES_OID_TOTAL_LEN 11 + + struct ECMethodStr { + ECCurveName name; + SECStatus (*mul)(SECItem *result, SECItem *scalar, SECItem *point); + SECStatus (*validate)(const SECItem *point); ++ SECStatus (*sign_digest)(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen); ++ SECStatus (*verify_digest)(ECPublicKey *key, const SECItem *signature, const SECItem *digest); + }; + typedef struct ECMethodStr ECMethod; + + #endif /* __ec_h_ */ +diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c +--- a/lib/freebl/ecdecode.c ++++ b/lib/freebl/ecdecode.c +@@ -150,17 +150,17 @@ EC_FillParams(PLArenaPool *arena, const + #endif + + switch (tag) { + case SEC_OID_ANSIX962_EC_PRIME256V1: + /* Populate params for prime256v1 aka secp256r1 + * (the NIST P-256 curve) + */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_X9_62_PRIME_256V1, +- ec_field_GFp, params)); ++ ec_field_plain, params)); + break; + + case SEC_OID_SECG_EC_SECP384R1: + /* Populate params for secp384r1 + * (the NIST P-384 curve) + */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, + ec_field_GFp, params)); +@@ -171,17 +171,18 @@ EC_FillParams(PLArenaPool *arena, const + * (the NIST P-521 curve) + */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, + ec_field_GFp, params)); + break; + + case SEC_OID_CURVE25519: + /* Populate params for Curve25519 */ +- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, ++ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ++ ec_field_plain, + params)); + break; + + default: + break; + }; + + cleanup: +@@ -245,8 +246,23 @@ EC_GetPointSize(const ECParams *params) + return sizeInBytes * 2 + 1; + } + if (name == ECCurve25519) { + /* Only X here */ + return curveParams->scalarSize; + } + return curveParams->pointSize - 1; + } ++ ++int ++EC_GetScalarSize(const ECParams *params) ++{ ++ ECCurveName name = params->name; ++ const ECCurveBytes *curveParams; ++ ++ if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve) || ++ ((curveParams = ecCurve_map[name]) == NULL)) { ++ /* unknown curve, calculate scalar size from field size in params */ ++ int sizeInBytes = (params->fieldID.size + 7) / 8; ++ return sizeInBytes; ++ } ++ return curveParams->scalarSize; ++} +diff --git a/lib/freebl/ecl/ecl.h b/lib/freebl/ecl/ecl.h +--- a/lib/freebl/ecl/ecl.h ++++ b/lib/freebl/ecl/ecl.h +@@ -41,9 +41,18 @@ mp_err ECPoints_mul(const ECGroup *group + * Returns MP_YES if the public key is valid, MP_NO if the public key + * is invalid, or an error code if the validation could not be + * performed. */ + mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py); + + SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P); + SECStatus ec_Curve25519_pt_validate(const SECItem *px); + ++SECStatus ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); ++SECStatus ec_secp256r1_pt_validate(const SECItem *px); ++ ++SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, ++ const SECItem *digest, const unsigned char *kb, ++ const unsigned int kblen); ++SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, ++ const SECItem *digest); ++ + #endif /* __ecl_h_ */ +diff --git a/lib/freebl/ecl/ecp_secp256r1.c b/lib/freebl/ecl/ecp_secp256r1.c +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/ecl/ecp_secp256r1.c +@@ -0,0 +1,229 @@ ++/* P-256 from HACL* */ ++ ++#ifdef FREEBL_NO_DEPEND ++#include "../stubs.h" ++#endif ++ ++#include "ecl-priv.h" ++#include "secitem.h" ++#include "secerr.h" ++#include "secmpi.h" ++#include "../verified/Hacl_P256.h" ++ ++/* ++ * Point Validation for P-256. ++ */ ++ ++SECStatus ++ec_secp256r1_pt_validate(const SECItem *pt) ++{ ++ SECStatus res = SECSuccess; ++ if (!pt || !pt->data) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ if (pt->len != 65) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ res = SECFailure; ++ return res; ++ } ++ ++ if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); ++ res = SECFailure; ++ return res; ++ } ++ ++ bool b = Hacl_P256_validate_public_key(pt->data + 1); ++ ++ if (!b) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ res = SECFailure; ++ } ++ return res; ++} ++ ++/* ++ * Scalar multiplication for P-256. ++ * If P == NULL, the base point is used. ++ * Returns X = k*P ++ */ ++ ++SECStatus ++ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) ++{ ++ SECStatus res = SECSuccess; ++ if (!P) { ++ uint8_t derived[64] = { 0 }; ++ ++ if (!X || !k || !X->data || !k->data || ++ X->len < 65 || k->len != 32) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ bool b = Hacl_P256_dh_initiator(derived, k->data); ++ ++ if (!b) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ res = SECFailure; ++ return res; ++ } ++ ++ X->len = 65; ++ X->data[0] = EC_POINT_FORM_UNCOMPRESSED; ++ memcpy(X->data + 1, derived, 64); ++ ++ } else { ++ uint8_t full_key[32] = { 0 }; ++ uint8_t *key; ++ uint8_t derived[64] = { 0 }; ++ ++ if (!X || !k || !P || !X->data || !k->data || !P->data || ++ X->len < 32 || P->len != 65 || ++ P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ /* We consider keys of up to size 32, or of size 33 with a single leading 0 */ ++ if (k->len < 32) { ++ memcpy(full_key + 32 - k->len, k->data, k->len); ++ key = full_key; ++ } else if (k->len == 32) { ++ key = k->data; ++ } else if (k->len == 33 && k->data[0] == 0) { ++ key = k->data + 1; ++ } else { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ bool b = Hacl_P256_dh_responder(derived, P->data + 1, key); ++ ++ if (!b) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ res = SECFailure; ++ return res; ++ } ++ ++ X->len = 32; ++ memcpy(X->data, derived, 32); ++ } ++ ++ return res; ++} ++ ++/* ++ * ECDSA Signature for P-256 ++ */ ++ ++SECStatus ++ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, ++ const SECItem *digest, const unsigned char *kb, ++ const unsigned int kblen) ++{ ++ SECStatus res = SECSuccess; ++ ++ if (!key || !signature || !digest || !kb || ++ !key->privateValue.data || ++ !signature->data || !digest->data || ++ key->ecParams.name != ECCurve_NIST_P256) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ if (key->privateValue.len != 32 || ++ kblen == 0 || ++ digest->len == 0 || ++ signature->len < 64) { ++ PORT_SetError(SEC_ERROR_INPUT_LEN); ++ res = SECFailure; ++ return res; ++ } ++ ++ uint8_t hash[32] = { 0 }; ++ if (digest->len < 32) { ++ memcpy(hash + 32 - digest->len, digest->data, digest->len); ++ } else { ++ memcpy(hash, digest->data, 32); ++ } ++ ++ uint8_t nonce[32] = { 0 }; ++ if (kblen < 32) { ++ memcpy(nonce + 32 - kblen, kb, kblen); ++ } else { ++ memcpy(nonce, kb, 32); ++ } ++ ++ bool b = Hacl_P256_ecdsa_sign_p256_without_hash( ++ signature->data, 32, hash, ++ key->privateValue.data, nonce); ++ if (!b) { ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ res = SECFailure; ++ return res; ++ } ++ ++ signature->len = 64; ++ return res; ++} ++ ++/* ++ * ECDSA Signature Verification for P-256 ++ */ ++ ++SECStatus ++ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, ++ const SECItem *digest) ++{ ++ SECStatus res = SECSuccess; ++ ++ if (!key || !signature || !digest || ++ !key->publicValue.data || ++ !signature->data || !digest->data || ++ key->ecParams.name != ECCurve_NIST_P256) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ res = SECFailure; ++ return res; ++ } ++ ++ if (key->publicValue.len != 65 || ++ digest->len == 0 || ++ signature->len != 64) { ++ PORT_SetError(SEC_ERROR_INPUT_LEN); ++ res = SECFailure; ++ return res; ++ } ++ ++ if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { ++ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); ++ res = SECFailure; ++ return res; ++ } ++ ++ uint8_t hash[32] = { 0 }; ++ if (digest->len < 32) { ++ memcpy(hash + 32 - digest->len, digest->data, digest->len); ++ } else { ++ memcpy(hash, digest->data, 32); ++ } ++ ++ bool b = Hacl_P256_ecdsa_verif_without_hash( ++ 32, hash, ++ key->publicValue.data + 1, ++ signature->data, signature->data + 32); ++ if (!b) { ++ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); ++ res = SECFailure; ++ return res; ++ } ++ ++ return res; ++} +diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp +--- a/lib/freebl/freebl.gyp ++++ b/lib/freebl/freebl.gyp +@@ -838,24 +838,26 @@ + 'MP_IS_LITTLE_ENDIAN', + ], + }], + # Poly1305_256 requires the flag to run + ['target_arch=="x64"', { + 'defines':[ + 'HACL_CAN_COMPILE_VEC128', + 'HACL_CAN_COMPILE_VEC256', ++ 'HACL_CAN_COMPILE_INTRINSICS', + ], + }], + # MSVC has no __int128 type. Use emulated int128 and leave + # have_int128_support as-is for Curve25519 impl. selection. + [ 'have_int128_support==1 and (OS!="win" or cc_is_clang==1 or cc_is_gcc==1)', { + 'defines': [ + # The Makefile does version-tests on GCC, but we're not doing that here. + 'HAVE_INT128_SUPPORT', ++ 'HACL_CAN_COMPILE_UINT128' + ], + }, { + 'defines': [ + 'KRML_VERIFIED_UINT128', + ], + }], + [ 'OS=="linux"', { + 'defines': [ +diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi +--- a/lib/freebl/freebl_base.gypi ++++ b/lib/freebl/freebl_base.gypi +@@ -29,18 +29,20 @@ + 'ecl/ecp_256.c', + 'ecl/ecp_256_32.c', + 'ecl/ecp_384.c', + 'ecl/ecp_521.c', + 'ecl/ecp_aff.c', + 'ecl/ecp_jac.c', + 'ecl/ecp_jm.c', + 'ecl/ecp_mont.c', ++ 'ecl/ecp_secp256r1.c', + 'ecl/ecp_secp384r1.c', + 'ecl/ecp_secp521r1.c', ++ 'verified/Hacl_P256.c', + 'fipsfreebl.c', + 'blinit.c', + 'freeblver.c', + 'gcm.c', + 'hmacct.c', + 'jpake.c', + 'ldvector.c', + 'md2.c', +diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn +--- a/lib/freebl/manifest.mn ++++ b/lib/freebl/manifest.mn +@@ -102,17 +102,17 @@ PRIVATE_EXPORTS = \ + MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h + MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c + + + ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h + ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ + ecp_aff.c ecp_jac.c ecp_mont.c \ + ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ +- ecp_256_32.c ecp_25519.c ecp_secp384r1.c ecp_secp521r1.c ++ ecp_256_32.c ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c + SHA_SRCS = sha_fast.c + MPCPU_SRCS = mpcpucache.c + VERIFIED_SRCS = $(NULL) + + CSRCS = \ + freeblver.c \ + ldvector.c \ + sysrand.c \ +diff --git a/lib/freebl/verified/Hacl_P256.c b/lib/freebl/verified/Hacl_P256.c +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/Hacl_P256.c +@@ -0,0 +1,1832 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#include "internal/Hacl_P256.h" ++ ++#include "internal/Hacl_P256_PrecompTable.h" ++#include "internal/Hacl_Krmllib.h" ++#include "internal/Hacl_Bignum_Base.h" ++#include "lib_intrinsics.h" ++ ++static inline uint64_t ++bn_is_zero_mask4(uint64_t *f) ++{ ++ uint64_t bn_zero[4U] = { 0U }; ++ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t uu____0 = FStar_UInt64_eq_mask(f[i], bn_zero[i]); ++ mask = uu____0 & mask;); ++ uint64_t mask1 = mask; ++ uint64_t res = mask1; ++ return res; ++} ++ ++static inline bool ++bn_is_zero_vartime4(uint64_t *f) ++{ ++ uint64_t m = bn_is_zero_mask4(f); ++ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++} ++ ++static inline uint64_t ++bn_is_eq_mask4(uint64_t *a, uint64_t *b) ++{ ++ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); ++ mask = uu____0 & mask;); ++ uint64_t mask1 = mask; ++ return mask1; ++} ++ ++static inline bool ++bn_is_eq_vartime4(uint64_t *a, uint64_t *b) ++{ ++ uint64_t m = bn_is_eq_mask4(a, b); ++ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++} ++ ++static inline void ++bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x, uint64_t *y) ++{ ++ uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t uu____0 = x[i]; ++ uint64_t x1 = uu____0 ^ (mask & (y[i] ^ uu____0)); ++ os[i] = x1;); ++} ++ ++static inline void ++bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) ++{ ++ uint64_t c0 = (uint64_t)0U; ++ { ++ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); ++ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); ++ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); ++ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); ++ } ++ uint64_t c00 = c0; ++ uint64_t tmp[4U] = { 0U }; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); ++ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); ++ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); ++ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); ++ } ++ uint64_t c1 = c; ++ uint64_t c2 = c00 - c1; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); ++ os[i] = x1;); ++} ++ ++static inline uint64_t ++bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); ++ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); ++ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); ++ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); ++ } ++ uint64_t c0 = c; ++ return c0; ++} ++ ++static inline void ++bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) ++{ ++ uint64_t c0 = (uint64_t)0U; ++ { ++ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; ++ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); ++ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); ++ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); ++ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); ++ } ++ uint64_t c00 = c0; ++ uint64_t tmp[4U] = { 0U }; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); ++ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); ++ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); ++ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); ++ } ++ uint64_t c1 = c; ++ // TODO: remove unused variable ++ (void)c1; ++ uint64_t c2 = (uint64_t)0U - c00; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t x1 = (c2 & tmp[i]) | (~c2 & res[i]); ++ os[i] = x1;); ++} ++ ++static inline void ++bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR4( ++ i0, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t bj = y[i0]; ++ uint64_t *res_j = res + i0; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t a_i = x[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res_j + (uint32_t)4U * (uint32_t)0U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); ++ uint64_t a_i0 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); ++ uint64_t a_i1 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); ++ uint64_t a_i2 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); ++ } uint64_t r = c; ++ res[(uint32_t)4U + i0] = r;); ++} ++ ++static inline void ++bn_sqr4(uint64_t *res, uint64_t *x) ++{ ++ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR4( ++ i0, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *ab = x; ++ uint64_t a_j = x[i0]; ++ uint64_t *res_j = res + i0; ++ uint64_t c = (uint64_t)0U; ++ for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) { ++ uint64_t a_i = ab[(uint32_t)4U * i]; ++ uint64_t *res_i0 = res_j + (uint32_t)4U * i; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); ++ uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; ++ uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); ++ uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; ++ uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); ++ uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; ++ uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); ++ } ++ for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) { ++ uint64_t a_i = ab[i]; ++ uint64_t *res_i = res_j + i; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); ++ } ++ uint64_t r = c; ++ res[i0 + i0] = r;); ++ uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); ++ // TODO: remove unused variable ++ (void)c0; ++ uint64_t tmp[8U] = { 0U }; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(x[i], x[i]); ++ uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); ++ uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); ++ tmp[(uint32_t)2U * i] = lo; ++ tmp[(uint32_t)2U * i + (uint32_t)1U] = hi;); ++ uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); ++ // TODO: remove unused variable ++ (void)c1; ++} ++ ++static inline void ++bn_to_bytes_be4(uint8_t *res, uint64_t *f) ++{ ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ store64_be(res + i * (uint32_t)8U, f[(uint32_t)4U - i - (uint32_t)1U]);); ++} ++ ++static inline void ++bn_from_bytes_be4(uint64_t *res, uint8_t *b) ++{ ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t u = load64_be(b + ((uint32_t)4U - i - (uint32_t)1U) * (uint32_t)8U); ++ uint64_t x = u; ++ os[i] = x;); ++} ++ ++static inline void ++bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y) ++{ ++ bn_to_bytes_be4(res, x); ++ bn_to_bytes_be4(res + (uint32_t)32U, y); ++} ++ ++static inline void ++make_prime(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0xffffffffffffffffU; ++ n[1U] = (uint64_t)0xffffffffU; ++ n[2U] = (uint64_t)0x0U; ++ n[3U] = (uint64_t)0xffffffff00000001U; ++} ++ ++static inline void ++make_order(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0xf3b9cac2fc632551U; ++ n[1U] = (uint64_t)0xbce6faada7179e84U; ++ n[2U] = (uint64_t)0xffffffffffffffffU; ++ n[3U] = (uint64_t)0xffffffff00000000U; ++} ++ ++static inline void ++make_a_coeff(uint64_t *a) ++{ ++ a[0U] = (uint64_t)0xfffffffffffffffcU; ++ a[1U] = (uint64_t)0x3ffffffffU; ++ a[2U] = (uint64_t)0x0U; ++ a[3U] = (uint64_t)0xfffffffc00000004U; ++} ++ ++static inline void ++make_b_coeff(uint64_t *b) ++{ ++ b[0U] = (uint64_t)0xd89cdf6229c4bddfU; ++ b[1U] = (uint64_t)0xacf005cd78843090U; ++ b[2U] = (uint64_t)0xe5a220abf7212ed6U; ++ b[3U] = (uint64_t)0xdc30061d04874834U; ++} ++ ++static inline void ++make_g_x(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0x79e730d418a9143cU; ++ n[1U] = (uint64_t)0x75ba95fc5fedb601U; ++ n[2U] = (uint64_t)0x79fb732b77622510U; ++ n[3U] = (uint64_t)0x18905f76a53755c6U; ++} ++ ++static inline void ++make_g_y(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0xddf25357ce95560aU; ++ n[1U] = (uint64_t)0x8b4ab8e4ba19e45cU; ++ n[2U] = (uint64_t)0xd2e88688dd21f325U; ++ n[3U] = (uint64_t)0x8571ff1825885d85U; ++} ++ ++static inline void ++make_fmont_R2(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0x3U; ++ n[1U] = (uint64_t)0xfffffffbffffffffU; ++ n[2U] = (uint64_t)0xfffffffffffffffeU; ++ n[3U] = (uint64_t)0x4fffffffdU; ++} ++ ++static inline void ++make_fzero(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0U; ++ n[1U] = (uint64_t)0U; ++ n[2U] = (uint64_t)0U; ++ n[3U] = (uint64_t)0U; ++} ++ ++static inline void ++make_fone(uint64_t *n) ++{ ++ n[0U] = (uint64_t)0x1U; ++ n[1U] = (uint64_t)0xffffffff00000000U; ++ n[2U] = (uint64_t)0xffffffffffffffffU; ++ n[3U] = (uint64_t)0xfffffffeU; ++} ++ ++static inline uint64_t ++bn_is_lt_prime_mask4(uint64_t *f) ++{ ++ uint64_t tmp[4U] = { 0U }; ++ make_prime(tmp); ++ uint64_t c = bn_sub4(tmp, f, tmp); ++ return (uint64_t)0U - c; ++} ++ ++static inline uint64_t ++feq_mask(uint64_t *a, uint64_t *b) ++{ ++ uint64_t r = bn_is_eq_mask4(a, b); ++ return r; ++} ++ ++static inline void ++fadd0(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t n[4U] = { 0U }; ++ make_prime(n); ++ bn_add_mod4(res, n, x, y); ++} ++ ++static inline void ++fsub0(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t n[4U] = { 0U }; ++ make_prime(n); ++ bn_sub_mod4(res, n, x, y); ++} ++ ++static inline void ++fnegate_conditional_vartime(uint64_t *f, bool is_negate) ++{ ++ uint64_t zero[4U] = { 0U }; ++ if (is_negate) { ++ fsub0(f, zero, f); ++ } ++} ++ ++static inline void ++mont_reduction(uint64_t *res, uint64_t *x) ++{ ++ uint64_t n[4U] = { 0U }; ++ make_prime(n); ++ uint64_t c0 = (uint64_t)0U; ++ KRML_MAYBE_FOR4( ++ i0, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t qj = (uint64_t)1U * x[i0]; ++ uint64_t *res_j0 = x + i0; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); ++ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); ++ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); ++ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); ++ } uint64_t r = c; ++ uint64_t c1 = r; ++ uint64_t *resb = x + (uint32_t)4U + i0; ++ uint64_t res_j = x[(uint32_t)4U + i0]; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); ++ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); ++ uint64_t c00 = c0; ++ uint64_t tmp[4U] = { 0U }; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); ++ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); ++ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); ++ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); ++ } ++ uint64_t c1 = c; ++ uint64_t c2 = c00 - c1; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); ++ os[i] = x1;); ++} ++ ++static inline void ++fmul0(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ bn_mul4(tmp, x, y); ++ mont_reduction(res, tmp); ++} ++ ++static inline void ++fsqr0(uint64_t *res, uint64_t *x) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ bn_sqr4(tmp, x); ++ mont_reduction(res, tmp); ++} ++ ++static inline void ++from_mont(uint64_t *res, uint64_t *a) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ memcpy(tmp, a, (uint32_t)4U * sizeof(uint64_t)); ++ mont_reduction(res, tmp); ++} ++ ++static inline void ++to_mont(uint64_t *res, uint64_t *a) ++{ ++ uint64_t r2modn[4U] = { 0U }; ++ make_fmont_R2(r2modn); ++ fmul0(res, a, r2modn); ++} ++ ++static inline void ++fmul_by_b_coeff(uint64_t *res, uint64_t *x) ++{ ++ uint64_t b_coeff[4U] = { 0U }; ++ make_b_coeff(b_coeff); ++ fmul0(res, b_coeff, x); ++} ++ ++static inline void ++fcube(uint64_t *res, uint64_t *x) ++{ ++ fsqr0(res, x); ++ fmul0(res, res, x); ++} ++ ++static inline void ++finv(uint64_t *res, uint64_t *a) ++{ ++ uint64_t tmp[16U] = { 0U }; ++ uint64_t *x30 = tmp; ++ uint64_t *x2 = tmp + (uint32_t)4U; ++ uint64_t *tmp1 = tmp + (uint32_t)8U; ++ uint64_t *tmp2 = tmp + (uint32_t)12U; ++ memcpy(x2, a, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ fsqr0(x2, x2); ++ } ++ fmul0(x2, x2, a); ++ memcpy(x30, x2, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ fsqr0(x30, x30); ++ } ++ fmul0(x30, x30, a); ++ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); ++ fmul0(tmp1, tmp1, x30); ++ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, fsqr0(tmp2, tmp2);); ++ fmul0(tmp2, tmp2, tmp1); ++ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); ++ fmul0(tmp1, tmp1, x30); ++ memcpy(x30, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR15(i, (uint32_t)0U, (uint32_t)15U, (uint32_t)1U, fsqr0(x30, x30);); ++ fmul0(x30, x30, tmp1); ++ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp1, tmp1);); ++ fmul0(tmp1, tmp1, x2); ++ memcpy(x2, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { ++ fsqr0(x2, x2); ++ } ++ fmul0(x2, x2, a); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) { ++ fsqr0(x2, x2); ++ } ++ fmul0(x2, x2, tmp1); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { ++ fsqr0(x2, x2); ++ } ++ fmul0(x2, x2, tmp1); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)30U; i++) { ++ fsqr0(x2, x2); ++ } ++ fmul0(x2, x2, x30); ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(x2, x2);); ++ fmul0(tmp1, x2, a); ++ memcpy(res, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++} ++ ++static inline void ++fsqrt(uint64_t *res, uint64_t *a) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ uint64_t *tmp1 = tmp; ++ uint64_t *tmp2 = tmp + (uint32_t)4U; ++ memcpy(tmp1, a, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ fsqr0(tmp1, tmp1); ++ } ++ fmul0(tmp1, tmp1, a); ++ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp2, tmp2);); ++ fmul0(tmp2, tmp2, tmp1); ++ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, fsqr0(tmp1, tmp1);); ++ fmul0(tmp1, tmp1, tmp2); ++ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, fsqr0(tmp2, tmp2);); ++ fmul0(tmp2, tmp2, tmp1); ++ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, fsqr0(tmp1, tmp1);); ++ fmul0(tmp1, tmp1, tmp2); ++ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { ++ fsqr0(tmp2, tmp2); ++ } ++ fmul0(tmp2, tmp2, a); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)96U; i++) { ++ fsqr0(tmp2, tmp2); ++ } ++ fmul0(tmp2, tmp2, a); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)94U; i++) { ++ fsqr0(tmp2, tmp2); ++ } ++ memcpy(res, tmp2, (uint32_t)4U * sizeof(uint64_t)); ++} ++ ++static inline void ++make_base_point(uint64_t *p) ++{ ++ uint64_t *x = p; ++ uint64_t *y = p + (uint32_t)4U; ++ uint64_t *z = p + (uint32_t)8U; ++ make_g_x(x); ++ make_g_y(y); ++ make_fone(z); ++} ++ ++static inline void ++make_point_at_inf(uint64_t *p) ++{ ++ uint64_t *x = p; ++ uint64_t *y = p + (uint32_t)4U; ++ uint64_t *z = p + (uint32_t)8U; ++ make_fzero(x); ++ make_fone(y); ++ make_fzero(z); ++} ++ ++static inline bool ++is_point_at_inf_vartime(uint64_t *p) ++{ ++ uint64_t *pz = p + (uint32_t)8U; ++ return bn_is_zero_vartime4(pz); ++} ++ ++static inline void ++to_aff_point(uint64_t *res, uint64_t *p) ++{ ++ uint64_t zinv[4U] = { 0U }; ++ uint64_t *px = p; ++ uint64_t *py = p + (uint32_t)4U; ++ uint64_t *pz = p + (uint32_t)8U; ++ uint64_t *x = res; ++ uint64_t *y = res + (uint32_t)4U; ++ finv(zinv, pz); ++ fmul0(x, px, zinv); ++ fmul0(y, py, zinv); ++ from_mont(x, x); ++ from_mont(y, y); ++} ++ ++static inline void ++to_aff_point_x(uint64_t *res, uint64_t *p) ++{ ++ uint64_t zinv[4U] = { 0U }; ++ uint64_t *px = p; ++ uint64_t *pz = p + (uint32_t)8U; ++ finv(zinv, pz); ++ fmul0(res, px, zinv); ++ from_mont(res, res); ++} ++ ++static inline void ++to_proj_point(uint64_t *res, uint64_t *p) ++{ ++ uint64_t *px = p; ++ uint64_t *py = p + (uint32_t)4U; ++ uint64_t *rx = res; ++ uint64_t *ry = res + (uint32_t)4U; ++ uint64_t *rz = res + (uint32_t)8U; ++ to_mont(rx, px); ++ to_mont(ry, py); ++ make_fone(rz); ++} ++ ++static inline bool ++is_on_curve_vartime(uint64_t *p) ++{ ++ uint64_t rp[4U] = { 0U }; ++ uint64_t tx[4U] = { 0U }; ++ uint64_t ty[4U] = { 0U }; ++ uint64_t *px = p; ++ uint64_t *py = p + (uint32_t)4U; ++ to_mont(tx, px); ++ to_mont(ty, py); ++ uint64_t tmp[4U] = { 0U }; ++ fcube(rp, tx); ++ make_a_coeff(tmp); ++ fmul0(tmp, tmp, tx); ++ fadd0(rp, tmp, rp); ++ make_b_coeff(tmp); ++ fadd0(rp, tmp, rp); ++ fsqr0(ty, ty); ++ uint64_t r = feq_mask(ty, rp); ++ bool r0 = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ return r0; ++} ++ ++static inline void ++aff_point_store(uint8_t *res, uint64_t *p) ++{ ++ uint64_t *px = p; ++ uint64_t *py = p + (uint32_t)4U; ++ bn2_to_bytes_be4(res, px, py); ++} ++ ++static inline void ++point_store(uint8_t *res, uint64_t *p) ++{ ++ uint64_t aff_p[8U] = { 0U }; ++ to_aff_point(aff_p, p); ++ aff_point_store(res, aff_p); ++} ++ ++static inline bool ++aff_point_load_vartime(uint64_t *p, uint8_t *b) ++{ ++ uint8_t *p_x = b; ++ uint8_t *p_y = b + (uint32_t)32U; ++ uint64_t *bn_p_x = p; ++ uint64_t *bn_p_y = p + (uint32_t)4U; ++ bn_from_bytes_be4(bn_p_x, p_x); ++ bn_from_bytes_be4(bn_p_y, p_y); ++ uint64_t *px = p; ++ uint64_t *py = p + (uint32_t)4U; ++ uint64_t lessX = bn_is_lt_prime_mask4(px); ++ uint64_t lessY = bn_is_lt_prime_mask4(py); ++ uint64_t res = lessX & lessY; ++ bool is_xy_valid = res == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ if (!is_xy_valid) { ++ return false; ++ } ++ return is_on_curve_vartime(p); ++} ++ ++static inline bool ++load_point_vartime(uint64_t *p, uint8_t *b) ++{ ++ uint64_t p_aff[8U] = { 0U }; ++ bool res = aff_point_load_vartime(p_aff, b); ++ if (res) { ++ to_proj_point(p, p_aff); ++ } ++ return res; ++} ++ ++static inline bool ++aff_point_decompress_vartime(uint64_t *x, uint64_t *y, uint8_t *s) ++{ ++ uint8_t s0 = s[0U]; ++ uint8_t s01 = s0; ++ if (!(s01 == (uint8_t)0x02U || s01 == (uint8_t)0x03U)) { ++ return false; ++ } ++ uint8_t *xb = s + (uint32_t)1U; ++ bn_from_bytes_be4(x, xb); ++ uint64_t is_x_valid = bn_is_lt_prime_mask4(x); ++ bool is_x_valid1 = is_x_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ bool is_y_odd = s01 == (uint8_t)0x03U; ++ if (!is_x_valid1) { ++ return false; ++ } ++ uint64_t y2M[4U] = { 0U }; ++ uint64_t xM[4U] = { 0U }; ++ uint64_t yM[4U] = { 0U }; ++ to_mont(xM, x); ++ uint64_t tmp[4U] = { 0U }; ++ fcube(y2M, xM); ++ make_a_coeff(tmp); ++ fmul0(tmp, tmp, xM); ++ fadd0(y2M, tmp, y2M); ++ make_b_coeff(tmp); ++ fadd0(y2M, tmp, y2M); ++ fsqrt(yM, y2M); ++ from_mont(y, yM); ++ fsqr0(yM, yM); ++ uint64_t r = feq_mask(yM, y2M); ++ bool is_y_valid = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ bool is_y_valid0 = is_y_valid; ++ if (!is_y_valid0) { ++ return false; ++ } ++ uint64_t is_y_odd1 = y[0U] & (uint64_t)1U; ++ bool is_y_odd2 = is_y_odd1 == (uint64_t)1U; ++ fnegate_conditional_vartime(y, is_y_odd2 != is_y_odd); ++ return true; ++} ++ ++static inline void ++point_double(uint64_t *res, uint64_t *p) ++{ ++ uint64_t tmp[20U] = { 0U }; ++ uint64_t *x = p; ++ uint64_t *z = p + (uint32_t)8U; ++ uint64_t *x3 = res; ++ uint64_t *y3 = res + (uint32_t)4U; ++ uint64_t *z3 = res + (uint32_t)8U; ++ uint64_t *t0 = tmp; ++ uint64_t *t1 = tmp + (uint32_t)4U; ++ uint64_t *t2 = tmp + (uint32_t)8U; ++ uint64_t *t3 = tmp + (uint32_t)12U; ++ uint64_t *t4 = tmp + (uint32_t)16U; ++ uint64_t *x1 = p; ++ uint64_t *y = p + (uint32_t)4U; ++ uint64_t *z1 = p + (uint32_t)8U; ++ fsqr0(t0, x1); ++ fsqr0(t1, y); ++ fsqr0(t2, z1); ++ fmul0(t3, x1, y); ++ fadd0(t3, t3, t3); ++ fmul0(t4, y, z1); ++ fmul0(z3, x, z); ++ fadd0(z3, z3, z3); ++ fmul_by_b_coeff(y3, t2); ++ fsub0(y3, y3, z3); ++ fadd0(x3, y3, y3); ++ fadd0(y3, x3, y3); ++ fsub0(x3, t1, y3); ++ fadd0(y3, t1, y3); ++ fmul0(y3, x3, y3); ++ fmul0(x3, x3, t3); ++ fadd0(t3, t2, t2); ++ fadd0(t2, t2, t3); ++ fmul_by_b_coeff(z3, z3); ++ fsub0(z3, z3, t2); ++ fsub0(z3, z3, t0); ++ fadd0(t3, z3, z3); ++ fadd0(z3, z3, t3); ++ fadd0(t3, t0, t0); ++ fadd0(t0, t3, t0); ++ fsub0(t0, t0, t2); ++ fmul0(t0, t0, z3); ++ fadd0(y3, y3, t0); ++ fadd0(t0, t4, t4); ++ fmul0(z3, t0, z3); ++ fsub0(x3, x3, z3); ++ fmul0(z3, t0, t1); ++ fadd0(z3, z3, z3); ++ fadd0(z3, z3, z3); ++} ++ ++static inline void ++point_add(uint64_t *res, uint64_t *p, uint64_t *q) ++{ ++ uint64_t tmp[36U] = { 0U }; ++ uint64_t *t0 = tmp; ++ uint64_t *t1 = tmp + (uint32_t)24U; ++ uint64_t *x3 = t1; ++ uint64_t *y3 = t1 + (uint32_t)4U; ++ uint64_t *z3 = t1 + (uint32_t)8U; ++ uint64_t *t01 = t0; ++ uint64_t *t11 = t0 + (uint32_t)4U; ++ uint64_t *t2 = t0 + (uint32_t)8U; ++ uint64_t *t3 = t0 + (uint32_t)12U; ++ uint64_t *t4 = t0 + (uint32_t)16U; ++ uint64_t *t5 = t0 + (uint32_t)20U; ++ uint64_t *x1 = p; ++ uint64_t *y1 = p + (uint32_t)4U; ++ uint64_t *z10 = p + (uint32_t)8U; ++ uint64_t *x20 = q; ++ uint64_t *y20 = q + (uint32_t)4U; ++ uint64_t *z20 = q + (uint32_t)8U; ++ fmul0(t01, x1, x20); ++ fmul0(t11, y1, y20); ++ fmul0(t2, z10, z20); ++ fadd0(t3, x1, y1); ++ fadd0(t4, x20, y20); ++ fmul0(t3, t3, t4); ++ fadd0(t4, t01, t11); ++ uint64_t *y10 = p + (uint32_t)4U; ++ uint64_t *z11 = p + (uint32_t)8U; ++ uint64_t *y2 = q + (uint32_t)4U; ++ uint64_t *z21 = q + (uint32_t)8U; ++ fsub0(t3, t3, t4); ++ fadd0(t4, y10, z11); ++ fadd0(t5, y2, z21); ++ fmul0(t4, t4, t5); ++ fadd0(t5, t11, t2); ++ fsub0(t4, t4, t5); ++ uint64_t *x10 = p; ++ uint64_t *z1 = p + (uint32_t)8U; ++ uint64_t *x2 = q; ++ uint64_t *z2 = q + (uint32_t)8U; ++ fadd0(x3, x10, z1); ++ fadd0(y3, x2, z2); ++ fmul0(x3, x3, y3); ++ fadd0(y3, t01, t2); ++ fsub0(y3, x3, y3); ++ fmul_by_b_coeff(z3, t2); ++ fsub0(x3, y3, z3); ++ fadd0(z3, x3, x3); ++ fadd0(x3, x3, z3); ++ fsub0(z3, t11, x3); ++ fadd0(x3, t11, x3); ++ fmul_by_b_coeff(y3, y3); ++ fadd0(t11, t2, t2); ++ fadd0(t2, t11, t2); ++ fsub0(y3, y3, t2); ++ fsub0(y3, y3, t01); ++ fadd0(t11, y3, y3); ++ fadd0(y3, t11, y3); ++ fadd0(t11, t01, t01); ++ fadd0(t01, t11, t01); ++ fsub0(t01, t01, t2); ++ fmul0(t11, t4, y3); ++ fmul0(t2, t01, y3); ++ fmul0(y3, x3, z3); ++ fadd0(y3, y3, t2); ++ fmul0(x3, t3, x3); ++ fsub0(x3, x3, t11); ++ fmul0(z3, t4, z3); ++ fmul0(t11, t3, t01); ++ fadd0(z3, z3, t11); ++ memcpy(res, t1, (uint32_t)12U * sizeof(uint64_t)); ++} ++ ++static inline void ++point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) ++{ ++ uint64_t table[192U] = { 0U }; ++ uint64_t tmp[12U] = { 0U }; ++ uint64_t *t0 = table; ++ uint64_t *t1 = table + (uint32_t)12U; ++ make_point_at_inf(t0); ++ memcpy(t1, p, (uint32_t)12U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR7(i, ++ (uint32_t)0U, ++ (uint32_t)7U, ++ (uint32_t)1U, ++ uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)12U; ++ point_double(tmp, t11); ++ memcpy(table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, ++ tmp, ++ (uint32_t)12U * sizeof(uint64_t)); ++ uint64_t *t2 = table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; ++ point_add(tmp, p, t2); ++ memcpy(table + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, ++ tmp, ++ (uint32_t)12U * sizeof(uint64_t));); ++ make_point_at_inf(res); ++ uint64_t tmp0[12U] = { 0U }; ++ for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) { ++ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); ++ uint32_t k = (uint32_t)256U - (uint32_t)4U * i0 - (uint32_t)4U; ++ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar, k, (uint32_t)4U); ++ memcpy(tmp0, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR15(i1, ++ (uint32_t)0U, ++ (uint32_t)15U, ++ (uint32_t)1U, ++ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + (uint32_t)1U)); ++ const uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)12U; ++ KRML_MAYBE_FOR12(i, ++ (uint32_t)0U, ++ (uint32_t)12U, ++ (uint32_t)1U, ++ uint64_t *os = tmp0; ++ uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); ++ os[i] = x;);); ++ point_add(res, res, tmp0); ++ } ++} ++ ++static inline void ++precomp_get_consttime(const uint64_t *table, uint64_t bits_l, uint64_t *tmp) ++{ ++ memcpy(tmp, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR15(i0, ++ (uint32_t)0U, ++ (uint32_t)15U, ++ (uint32_t)1U, ++ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i0 + (uint32_t)1U)); ++ const uint64_t *res_j = table + (i0 + (uint32_t)1U) * (uint32_t)12U; ++ KRML_MAYBE_FOR12(i, ++ (uint32_t)0U, ++ (uint32_t)12U, ++ (uint32_t)1U, ++ uint64_t *os = tmp; ++ uint64_t x = (c & res_j[i]) | (~c & tmp[i]); ++ os[i] = x;);); ++} ++ ++static inline void ++point_mul_g(uint64_t *res, uint64_t *scalar) ++{ ++ uint64_t q1[12U] = { 0U }; ++ make_base_point(q1); ++ /* ++ uint64_t ++ q2[12U] = ++ { ++ (uint64_t)1499621593102562565U, (uint64_t)16692369783039433128U, ++ (uint64_t)15337520135922861848U, (uint64_t)5455737214495366228U, ++ (uint64_t)17827017231032529600U, (uint64_t)12413621606240782649U, ++ (uint64_t)2290483008028286132U, (uint64_t)15752017553340844820U, ++ (uint64_t)4846430910634234874U, (uint64_t)10861682798464583253U, ++ (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U ++ }; ++ uint64_t ++ q3[12U] = ++ { ++ (uint64_t)14619254753077084366U, (uint64_t)13913835116514008593U, ++ (uint64_t)15060744674088488145U, (uint64_t)17668414598203068685U, ++ (uint64_t)10761169236902342334U, (uint64_t)15467027479157446221U, ++ (uint64_t)14989185522423469618U, (uint64_t)14354539272510107003U, ++ (uint64_t)14298211796392133693U, (uint64_t)13270323784253711450U, ++ (uint64_t)13380964971965046957U, (uint64_t)8686204248456909699U ++ }; ++ uint64_t ++ q4[12U] = ++ { ++ (uint64_t)7870395003430845958U, (uint64_t)18001862936410067720U, ++ (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, ++ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, ++ (uint64_t)7139806720777708306U, (uint64_t)8253938546650739833U, ++ (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, ++ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U ++ }; ++ */ ++ uint64_t *r1 = scalar; ++ uint64_t *r2 = scalar + (uint32_t)1U; ++ uint64_t *r3 = scalar + (uint32_t)2U; ++ uint64_t *r4 = scalar + (uint32_t)3U; ++ make_point_at_inf(res); ++ uint64_t tmp[12U] = { 0U }; ++ KRML_MAYBE_FOR16(i, ++ (uint32_t)0U, ++ (uint32_t)16U, ++ (uint32_t)1U, ++ KRML_MAYBE_FOR4(i0, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); ++ uint32_t k = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; ++ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r4, k, (uint32_t)4U); ++ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4, bits_l, tmp); ++ point_add(res, res, tmp); ++ uint32_t k0 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; ++ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r3, k0, (uint32_t)4U); ++ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4, bits_l0, tmp); ++ point_add(res, res, tmp); ++ uint32_t k1 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; ++ uint64_t bits_l1 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r2, k1, (uint32_t)4U); ++ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4, bits_l1, tmp); ++ point_add(res, res, tmp); ++ uint32_t k2 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; ++ uint64_t bits_l2 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r1, k2, (uint32_t)4U); ++ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_basepoint_table_w4, bits_l2, tmp); ++ point_add(res, res, tmp);); ++} ++ ++static inline void ++point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *q2) ++{ ++ uint64_t q1[12U] = { 0U }; ++ make_base_point(q1); ++ uint64_t table2[384U] = { 0U }; ++ uint64_t tmp[12U] = { 0U }; ++ uint64_t *t0 = table2; ++ uint64_t *t1 = table2 + (uint32_t)12U; ++ make_point_at_inf(t0); ++ memcpy(t1, q2, (uint32_t)12U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR15(i, ++ (uint32_t)0U, ++ (uint32_t)15U, ++ (uint32_t)1U, ++ uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)12U; ++ point_double(tmp, t11); ++ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, ++ tmp, ++ (uint32_t)12U * sizeof(uint64_t)); ++ uint64_t *t2 = table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; ++ point_add(tmp, q2, t2); ++ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, ++ tmp, ++ (uint32_t)12U * sizeof(uint64_t));); ++ uint64_t tmp0[12U] = { 0U }; ++ uint32_t i0 = (uint32_t)255U; ++ uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, i0, (uint32_t)5U); ++ uint32_t bits_l32 = (uint32_t)bits_c; ++ const uint64_t ++ *a_bits_l = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l32 * (uint32_t)12U; ++ memcpy(res, (uint64_t *)a_bits_l, (uint32_t)12U * sizeof(uint64_t)); ++ uint32_t i1 = (uint32_t)255U; ++ uint64_t bits_c0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, i1, (uint32_t)5U); ++ uint32_t bits_l320 = (uint32_t)bits_c0; ++ const uint64_t *a_bits_l0 = table2 + bits_l320 * (uint32_t)12U; ++ memcpy(tmp0, (uint64_t *)a_bits_l0, (uint32_t)12U * sizeof(uint64_t)); ++ point_add(res, res, tmp0); ++ uint64_t tmp1[12U] = { 0U }; ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)51U; i++) { ++ KRML_MAYBE_FOR5(i2, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, point_double(res, res);); ++ uint32_t k = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; ++ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, k, (uint32_t)5U); ++ uint32_t bits_l321 = (uint32_t)bits_l; ++ const uint64_t *a_bits_l1 = table2 + bits_l321 * (uint32_t)12U; ++ memcpy(tmp1, (uint64_t *)a_bits_l1, (uint32_t)12U * sizeof(uint64_t)); ++ point_add(res, res, tmp1); ++ uint32_t k0 = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; ++ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, k0, (uint32_t)5U); ++ uint32_t bits_l322 = (uint32_t)bits_l0; ++ const uint64_t ++ *a_bits_l2 = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l322 * (uint32_t)12U; ++ memcpy(tmp1, (uint64_t *)a_bits_l2, (uint32_t)12U * sizeof(uint64_t)); ++ point_add(res, res, tmp1); ++ } ++} ++ ++static inline uint64_t ++bn_is_lt_order_mask4(uint64_t *f) ++{ ++ uint64_t tmp[4U] = { 0U }; ++ make_order(tmp); ++ uint64_t c = bn_sub4(tmp, f, tmp); ++ return (uint64_t)0U - c; ++} ++ ++static inline uint64_t ++bn_is_lt_order_and_gt_zero_mask4(uint64_t *f) ++{ ++ uint64_t is_lt_order = bn_is_lt_order_mask4(f); ++ uint64_t is_eq_zero = bn_is_zero_mask4(f); ++ return is_lt_order & ~is_eq_zero; ++} ++ ++static inline void ++qmod_short(uint64_t *res, uint64_t *x) ++{ ++ uint64_t tmp[4U] = { 0U }; ++ make_order(tmp); ++ uint64_t c = bn_sub4(tmp, x, tmp); ++ bn_cmovznz4(res, c, tmp, x); ++} ++ ++static inline void ++qadd(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t n[4U] = { 0U }; ++ make_order(n); ++ bn_add_mod4(res, n, x, y); ++} ++ ++static inline void ++qmont_reduction(uint64_t *res, uint64_t *x) ++{ ++ uint64_t n[4U] = { 0U }; ++ make_order(n); ++ uint64_t c0 = (uint64_t)0U; ++ KRML_MAYBE_FOR4( ++ i0, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t qj = (uint64_t)0xccd1c8aaee00bc4fU * x[i0]; ++ uint64_t *res_j0 = x + i0; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); ++ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); ++ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); ++ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); ++ } uint64_t r = c; ++ uint64_t c1 = r; ++ uint64_t *resb = x + (uint32_t)4U + i0; ++ uint64_t res_j = x[(uint32_t)4U + i0]; ++ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); ++ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); ++ uint64_t c00 = c0; ++ uint64_t tmp[4U] = { 0U }; ++ uint64_t c = (uint64_t)0U; ++ { ++ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; ++ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); ++ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; ++ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); ++ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; ++ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); ++ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; ++ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); ++ } ++ uint64_t c1 = c; ++ uint64_t c2 = c00 - c1; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = res; ++ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); ++ os[i] = x1;); ++} ++ ++static inline void ++from_qmont(uint64_t *res, uint64_t *x) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ memcpy(tmp, x, (uint32_t)4U * sizeof(uint64_t)); ++ qmont_reduction(res, tmp); ++} ++ ++static inline void ++qmul(uint64_t *res, uint64_t *x, uint64_t *y) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ bn_mul4(tmp, x, y); ++ qmont_reduction(res, tmp); ++} ++ ++static inline void ++qsqr(uint64_t *res, uint64_t *x) ++{ ++ uint64_t tmp[8U] = { 0U }; ++ bn_sqr4(tmp, x); ++ qmont_reduction(res, tmp); ++} ++ ++bool ++Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key) ++{ ++ uint64_t tmp[16U] = { 0U }; ++ uint64_t *sk = tmp; ++ uint64_t *pk = tmp + (uint32_t)4U; ++ bn_from_bytes_be4(sk, private_key); ++ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); ++ uint64_t oneq[4U] = { 0U }; ++ oneq[0U] = (uint64_t)1U; ++ oneq[1U] = (uint64_t)0U; ++ oneq[2U] = (uint64_t)0U; ++ oneq[3U] = (uint64_t)0U; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = sk; ++ uint64_t uu____0 = oneq[i]; ++ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); ++ os[i] = x;); ++ uint64_t is_sk_valid = is_b_valid; ++ point_mul_g(pk, sk); ++ point_store(public_key, pk); ++ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++} ++ ++bool ++Hacl_Impl_P256_DH_ecp256dh_r( ++ uint8_t *shared_secret, ++ uint8_t *their_pubkey, ++ uint8_t *private_key) ++{ ++ uint64_t tmp[16U] = { 0U }; ++ uint64_t *sk = tmp; ++ uint64_t *pk = tmp + (uint32_t)4U; ++ bool is_pk_valid = load_point_vartime(pk, their_pubkey); ++ bn_from_bytes_be4(sk, private_key); ++ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); ++ uint64_t oneq[4U] = { 0U }; ++ oneq[0U] = (uint64_t)1U; ++ oneq[1U] = (uint64_t)0U; ++ oneq[2U] = (uint64_t)0U; ++ oneq[3U] = (uint64_t)0U; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = sk; ++ uint64_t uu____0 = oneq[i]; ++ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); ++ os[i] = x;); ++ uint64_t is_sk_valid = is_b_valid; ++ uint64_t ss_proj[12U] = { 0U }; ++ if (is_pk_valid) { ++ point_mul(ss_proj, sk, pk); ++ point_store(shared_secret, ss_proj); ++ } ++ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_pk_valid; ++} ++ ++static inline void ++qinv(uint64_t *res, uint64_t *r) ++{ ++ uint64_t tmp[28U] = { 0U }; ++ uint64_t *x6 = tmp; ++ uint64_t *x_11 = tmp + (uint32_t)4U; ++ uint64_t *x_101 = tmp + (uint32_t)8U; ++ uint64_t *x_111 = tmp + (uint32_t)12U; ++ uint64_t *x_1111 = tmp + (uint32_t)16U; ++ uint64_t *x_10101 = tmp + (uint32_t)20U; ++ uint64_t *x_101111 = tmp + (uint32_t)24U; ++ memcpy(x6, r, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ qsqr(x6, x6); ++ } ++ qmul(x_11, x6, r); ++ qmul(x_101, x6, x_11); ++ qmul(x_111, x6, x_101); ++ memcpy(x6, x_101, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ qsqr(x6, x6); ++ } ++ qmul(x_1111, x_101, x6); ++ { ++ qsqr(x6, x6); ++ } ++ qmul(x_10101, x6, r); ++ memcpy(x6, x_10101, (uint32_t)4U * sizeof(uint64_t)); ++ { ++ qsqr(x6, x6); ++ } ++ qmul(x_101111, x_101, x6); ++ qmul(x6, x_10101, x6); ++ uint64_t tmp1[4U] = { 0U }; ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(x6, x6);); ++ qmul(x6, x6, x_11); ++ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x6); ++ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, qsqr(x6, x6);); ++ qmul(x6, x6, tmp1); ++ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) { ++ qsqr(tmp1, tmp1); ++ } ++ qmul(tmp1, tmp1, x6); ++ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { ++ qsqr(tmp1, tmp1); ++ } ++ qmul(tmp1, tmp1, x6); ++ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101111); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_111); ++ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_11); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_1111); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_10101); ++ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_111); ++ KRML_MAYBE_FOR9(i, (uint32_t)0U, (uint32_t)9U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101111); ++ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_1111); ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, r); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, r); ++ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_1111); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_111); ++ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_111); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_111); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_11); ++ KRML_MAYBE_FOR10(i, (uint32_t)0U, (uint32_t)10U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_101111); ++ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_11); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_11); ++ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_11); ++ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, r); ++ KRML_MAYBE_FOR7(i, (uint32_t)0U, (uint32_t)7U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_10101); ++ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); ++ qmul(tmp1, tmp1, x_1111); ++ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); ++ memcpy(res, x6, (uint32_t)4U * sizeof(uint64_t)); ++} ++ ++static inline void ++qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res) ++{ ++ uint64_t tmp[4U] = { 0U }; ++ from_qmont(tmp, b); ++ qmul(res, sinv, tmp); ++} ++ ++static inline bool ++ecdsa_verify_msg_as_qelem( ++ uint64_t *m_q, ++ uint8_t *public_key, ++ uint8_t *signature_r, ++ uint8_t *signature_s) ++{ ++ uint64_t tmp[28U] = { 0U }; ++ uint64_t *pk = tmp; ++ uint64_t *r_q = tmp + (uint32_t)12U; ++ uint64_t *s_q = tmp + (uint32_t)16U; ++ uint64_t *u1 = tmp + (uint32_t)20U; ++ uint64_t *u2 = tmp + (uint32_t)24U; ++ bool is_pk_valid = load_point_vartime(pk, public_key); ++ bn_from_bytes_be4(r_q, signature_r); ++ bn_from_bytes_be4(s_q, signature_s); ++ uint64_t is_r_valid = bn_is_lt_order_and_gt_zero_mask4(r_q); ++ uint64_t is_s_valid = bn_is_lt_order_and_gt_zero_mask4(s_q); ++ bool ++ is_rs_valid = ++ is_r_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_s_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ if (!(is_pk_valid && is_rs_valid)) { ++ return false; ++ } ++ uint64_t sinv[4U] = { 0U }; ++ qinv(sinv, s_q); ++ qmul_mont(sinv, m_q, u1); ++ qmul_mont(sinv, r_q, u2); ++ uint64_t res[12U] = { 0U }; ++ point_mul_double_g(res, u1, u2, pk); ++ if (is_point_at_inf_vartime(res)) { ++ return false; ++ } ++ uint64_t x[4U] = { 0U }; ++ to_aff_point_x(x, res); ++ qmod_short(x, x); ++ bool res1 = bn_is_eq_vartime4(x, r_q); ++ return res1; ++} ++ ++static inline bool ++ecdsa_sign_msg_as_qelem( ++ uint8_t *signature, ++ uint64_t *m_q, ++ uint8_t *private_key, ++ uint8_t *nonce) ++{ ++ uint64_t rsdk_q[16U] = { 0U }; ++ uint64_t *r_q = rsdk_q; ++ uint64_t *s_q = rsdk_q + (uint32_t)4U; ++ uint64_t *d_a = rsdk_q + (uint32_t)8U; ++ uint64_t *k_q = rsdk_q + (uint32_t)12U; ++ bn_from_bytes_be4(d_a, private_key); ++ uint64_t is_b_valid0 = bn_is_lt_order_and_gt_zero_mask4(d_a); ++ uint64_t oneq0[4U] = { 0U }; ++ oneq0[0U] = (uint64_t)1U; ++ oneq0[1U] = (uint64_t)0U; ++ oneq0[2U] = (uint64_t)0U; ++ oneq0[3U] = (uint64_t)0U; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = d_a; ++ uint64_t uu____0 = oneq0[i]; ++ uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); ++ os[i] = x;); ++ uint64_t is_sk_valid = is_b_valid0; ++ bn_from_bytes_be4(k_q, nonce); ++ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(k_q); ++ uint64_t oneq[4U] = { 0U }; ++ oneq[0U] = (uint64_t)1U; ++ oneq[1U] = (uint64_t)0U; ++ oneq[2U] = (uint64_t)0U; ++ oneq[3U] = (uint64_t)0U; ++ KRML_MAYBE_FOR4(i, ++ (uint32_t)0U, ++ (uint32_t)4U, ++ (uint32_t)1U, ++ uint64_t *os = k_q; ++ uint64_t uu____1 = oneq[i]; ++ uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); ++ os[i] = x;); ++ uint64_t is_nonce_valid = is_b_valid; ++ uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; ++ uint64_t p[12U] = { 0U }; ++ point_mul_g(p, k_q); ++ to_aff_point_x(r_q, p); ++ qmod_short(r_q, r_q); ++ uint64_t kinv[4U] = { 0U }; ++ qinv(kinv, k_q); ++ qmul(s_q, r_q, d_a); ++ from_qmont(m_q, m_q); ++ qadd(s_q, m_q, s_q); ++ qmul(s_q, kinv, s_q); ++ bn2_to_bytes_be4(signature, r_q, s_q); ++ uint64_t is_r_zero = bn_is_zero_mask4(r_q); ++ uint64_t is_s_zero = bn_is_zero_mask4(s_q); ++ uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); ++ bool res = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++ return res; ++} ++ ++/******************************************************************************* ++ ++ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. ++ ++ This module implements signing and verification, key validation, conversions ++ between various point representations, and ECDH key agreement. ++ ++*******************************************************************************/ ++ ++/*****************/ ++/* ECDSA signing */ ++/*****************/ ++ ++/** ++Create an ECDSA signature WITHOUT hashing first. ++ ++ This function is intended to receive a hash of the input. ++ For convenience, we recommend using one of the hash-and-sign combined functions above. ++ ++ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). ++ ++ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs ++ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to ++ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL ++ need to perform the left-padding themselves. ++ ++ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. ++ ++ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. ++ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `private_key` and `nonce` are valid values: ++ • 0 < `private_key` < the order of the curve ++ • 0 < `nonce` < the order of the curve ++*/ ++bool ++Hacl_P256_ecdsa_sign_p256_without_hash( ++ uint8_t *signature, ++ uint32_t msg_len, ++ uint8_t *msg, ++ uint8_t *private_key, ++ uint8_t *nonce) ++{ ++ uint64_t m_q[4U] = { 0U }; ++ uint8_t mHash[32U] = { 0U }; ++ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); ++ uint8_t *mHash32 = mHash; ++ bn_from_bytes_be4(m_q, mHash32); ++ qmod_short(m_q, m_q); ++ bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); ++ return res; ++} ++ ++/**********************/ ++/* ECDSA verification */ ++/**********************/ ++ ++/** ++Verify an ECDSA signature WITHOUT hashing first. ++ ++ This function is intended to receive a hash of the input. ++ For convenience, we recommend using one of the hash-and-verify combined functions above. ++ ++ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). ++ ++ The function returns `true` if the signature is valid and `false` otherwise. ++ ++ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. ++ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `public_key` is valid ++*/ ++bool ++Hacl_P256_ecdsa_verif_without_hash( ++ uint32_t msg_len, ++ uint8_t *msg, ++ uint8_t *public_key, ++ uint8_t *signature_r, ++ uint8_t *signature_s) ++{ ++ uint64_t m_q[4U] = { 0U }; ++ uint8_t mHash[32U] = { 0U }; ++ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); ++ uint8_t *mHash32 = mHash; ++ bn_from_bytes_be4(m_q, mHash32); ++ qmod_short(m_q, m_q); ++ bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); ++ return res; ++} ++ ++/******************/ ++/* Key validation */ ++/******************/ ++ ++/** ++Public key validation. ++ ++ The function returns `true` if a public key is valid and `false` otherwise. ++ ++ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The public key (x || y) is valid (with respect to SP 800-56A): ++ • the public key is not the “point at infinity”, represented as O. ++ • the affine x and y coordinates of the point represented by the public key are ++ in the range [0, p – 1] where p is the prime defining the finite field. ++ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. ++ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ ++*/ ++bool ++Hacl_P256_validate_public_key(uint8_t *public_key) ++{ ++ uint64_t point_jac[12U] = { 0U }; ++ bool res = load_point_vartime(point_jac, public_key); ++ return res; ++} ++ ++/** ++Private key validation. ++ ++ The function returns `true` if a private key is valid and `false` otherwise. ++ ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The private key is valid: ++ • 0 < `private_key` < the order of the curve ++*/ ++bool ++Hacl_P256_validate_private_key(uint8_t *private_key) ++{ ++ uint64_t bn_sk[4U] = { 0U }; ++ bn_from_bytes_be4(bn_sk, private_key); ++ uint64_t res = bn_is_lt_order_and_gt_zero_mask4(bn_sk); ++ return res == (uint64_t)0xFFFFFFFFFFFFFFFFU; ++} ++ ++/******************************************************************************* ++ Parsing and Serializing public keys. ++ ++ A public key is a point (x, y) on the P-256 NIST curve. ++ ++ The point can be represented in the following three ways. ++ • raw = [ x || y ], 64 bytes ++ • uncompressed = [ 0x04 || x || y ], 65 bytes ++ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes ++ ++*******************************************************************************/ ++ ++/** ++Convert a public key from uncompressed to its raw form. ++ ++ The function returns `true` for successful conversion of a public key and `false` otherwise. ++ ++ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++bool ++Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) ++{ ++ uint8_t pk0 = pk[0U]; ++ if (pk0 != (uint8_t)0x04U) { ++ return false; ++ } ++ memcpy(pk_raw, pk + (uint32_t)1U, (uint32_t)64U * sizeof(uint8_t)); ++ return true; ++} ++ ++/** ++Convert a public key from compressed to its raw form. ++ ++ The function returns `true` for successful conversion of a public key and `false` otherwise. ++ ++ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. ++ ++ The function also checks whether (x, y) is a valid point. ++*/ ++bool ++Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) ++{ ++ uint64_t xa[4U] = { 0U }; ++ uint64_t ya[4U] = { 0U }; ++ uint8_t *pk_xb = pk + (uint32_t)1U; ++ bool b = aff_point_decompress_vartime(xa, ya, pk); ++ if (b) { ++ memcpy(pk_raw, pk_xb, (uint32_t)32U * sizeof(uint8_t)); ++ bn_to_bytes_be4(pk_raw + (uint32_t)32U, ya); ++ } ++ return b; ++} ++ ++/** ++Convert a public key from raw to its uncompressed form. ++ ++ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. ++ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++void ++Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) ++{ ++ pk[0U] = (uint8_t)0x04U; ++ memcpy(pk + (uint32_t)1U, pk_raw, (uint32_t)64U * sizeof(uint8_t)); ++} ++ ++/** ++Convert a public key from raw to its compressed form. ++ ++ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. ++ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++void ++Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) ++{ ++ uint8_t *pk_x = pk_raw; ++ uint8_t *pk_y = pk_raw + (uint32_t)32U; ++ uint64_t bn_f[4U] = { 0U }; ++ bn_from_bytes_be4(bn_f, pk_y); ++ uint64_t is_odd_f = bn_f[0U] & (uint64_t)1U; ++ pk[0U] = (uint8_t)is_odd_f + (uint8_t)0x02U; ++ memcpy(pk + (uint32_t)1U, pk_x, (uint32_t)32U * sizeof(uint8_t)); ++} ++ ++/******************/ ++/* ECDH agreement */ ++/******************/ ++ ++/** ++Compute the public key from the private key. ++ ++ The function returns `true` if a private key is valid and `false` otherwise. ++ ++ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The private key is valid: ++ • 0 < `private_key` < the order of the curve. ++*/ ++bool ++Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key) ++{ ++ return Hacl_Impl_P256_DH_ecp256dh_i(public_key, private_key); ++} ++ ++/** ++Execute the diffie-hellmann key exchange. ++ ++ The function returns `true` for successful creation of an ECDH shared secret and ++ `false` otherwise. ++ ++ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `private_key` and `their_pubkey` are valid. ++*/ ++bool ++Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) ++{ ++ return Hacl_Impl_P256_DH_ecp256dh_r(shared_secret, their_pubkey, private_key); ++} ++ +diff --git a/lib/freebl/verified/Hacl_P256.h b/lib/freebl/verified/Hacl_P256.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/Hacl_P256.h +@@ -0,0 +1,237 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __Hacl_P256_H ++#define __Hacl_P256_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++#include "Hacl_Krmllib.h" ++#include "lib_intrinsics.h" ++ ++/******************************************************************************* ++ ++ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. ++ ++ This module implements signing and verification, key validation, conversions ++ between various point representations, and ECDH key agreement. ++ ++*******************************************************************************/ ++ ++/*****************/ ++/* ECDSA signing */ ++/*****************/ ++ ++/** ++Create an ECDSA signature WITHOUT hashing first. ++ ++ This function is intended to receive a hash of the input. ++ For convenience, we recommend using one of the hash-and-sign combined functions above. ++ ++ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). ++ ++ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs ++ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to ++ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL ++ need to perform the left-padding themselves. ++ ++ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. ++ ++ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. ++ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `private_key` and `nonce` are valid values: ++ • 0 < `private_key` < the order of the curve ++ • 0 < `nonce` < the order of the curve ++*/ ++bool ++Hacl_P256_ecdsa_sign_p256_without_hash( ++ uint8_t *signature, ++ uint32_t msg_len, ++ uint8_t *msg, ++ uint8_t *private_key, ++ uint8_t *nonce); ++ ++/**********************/ ++/* ECDSA verification */ ++/**********************/ ++ ++/** ++Verify an ECDSA signature WITHOUT hashing first. ++ ++ This function is intended to receive a hash of the input. ++ For convenience, we recommend using one of the hash-and-verify combined functions above. ++ ++ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). ++ ++ The function returns `true` if the signature is valid and `false` otherwise. ++ ++ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. ++ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `public_key` is valid ++*/ ++bool ++Hacl_P256_ecdsa_verif_without_hash( ++ uint32_t msg_len, ++ uint8_t *msg, ++ uint8_t *public_key, ++ uint8_t *signature_r, ++ uint8_t *signature_s); ++ ++/******************/ ++/* Key validation */ ++/******************/ ++ ++/** ++Public key validation. ++ ++ The function returns `true` if a public key is valid and `false` otherwise. ++ ++ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The public key (x || y) is valid (with respect to SP 800-56A): ++ • the public key is not the “point at infinity”, represented as O. ++ • the affine x and y coordinates of the point represented by the public key are ++ in the range [0, p – 1] where p is the prime defining the finite field. ++ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. ++ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ ++*/ ++bool Hacl_P256_validate_public_key(uint8_t *public_key); ++ ++/** ++Private key validation. ++ ++ The function returns `true` if a private key is valid and `false` otherwise. ++ ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The private key is valid: ++ • 0 < `private_key` < the order of the curve ++*/ ++bool Hacl_P256_validate_private_key(uint8_t *private_key); ++ ++/******************************************************************************* ++ Parsing and Serializing public keys. ++ ++ A public key is a point (x, y) on the P-256 NIST curve. ++ ++ The point can be represented in the following three ways. ++ • raw = [ x || y ], 64 bytes ++ • uncompressed = [ 0x04 || x || y ], 65 bytes ++ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes ++ ++*******************************************************************************/ ++ ++/** ++Convert a public key from uncompressed to its raw form. ++ ++ The function returns `true` for successful conversion of a public key and `false` otherwise. ++ ++ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); ++ ++/** ++Convert a public key from compressed to its raw form. ++ ++ The function returns `true` for successful conversion of a public key and `false` otherwise. ++ ++ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. ++ ++ The function also checks whether (x, y) is a valid point. ++*/ ++bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); ++ ++/** ++Convert a public key from raw to its uncompressed form. ++ ++ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. ++ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); ++ ++/** ++Convert a public key from raw to its compressed form. ++ ++ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. ++ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ ++ The function DOESN'T check whether (x, y) is a valid point. ++*/ ++void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); ++ ++/******************/ ++/* ECDH agreement */ ++/******************/ ++ ++/** ++Compute the public key from the private key. ++ ++ The function returns `true` if a private key is valid and `false` otherwise. ++ ++ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The private key is valid: ++ • 0 < `private_key` < the order of the curve. ++*/ ++bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key); ++ ++/** ++Execute the diffie-hellmann key exchange. ++ ++ The function returns `true` for successful creation of an ECDH shared secret and ++ `false` otherwise. ++ ++ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. ++ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. ++ ++ The function also checks whether `private_key` and `their_pubkey` are valid. ++*/ ++bool ++Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __Hacl_P256_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/Hacl_Bignum_Base.h b/lib/freebl/verified/internal/Hacl_Bignum_Base.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/Hacl_Bignum_Base.h +@@ -0,0 +1,114 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __internal_Hacl_Bignum_Base_H ++#define __internal_Hacl_Bignum_Base_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++#include "internal/Hacl_Krmllib.h" ++#include "Hacl_Krmllib.h" ++#include "internal/lib_intrinsics.h" ++ ++static inline uint32_t ++Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) ++{ ++ uint32_t out0 = out[0U]; ++ uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; ++ out[0U] = (uint32_t)res; ++ return (uint32_t)(res >> (uint32_t)32U); ++} ++ ++static inline uint64_t ++Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) ++{ ++ uint64_t out0 = out[0U]; ++ FStar_UInt128_uint128 ++ res = ++ FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), ++ FStar_UInt128_uint64_to_uint128(c_in)), ++ FStar_UInt128_uint64_to_uint128(out0)); ++ out[0U] = FStar_UInt128_uint128_to_uint64(res); ++ return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); ++} ++ ++static inline uint64_t ++Hacl_Bignum_Lib_bn_get_bits_u64(uint32_t len, uint64_t *b, uint32_t i, uint32_t l) ++{ ++ uint32_t i1 = i / (uint32_t)64U; ++ uint32_t j = i % (uint32_t)64U; ++ uint64_t p1 = b[i1] >> j; ++ uint64_t ite; ++ if (i1 + (uint32_t)1U < len && (uint32_t)0U < j) { ++ ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); ++ } else { ++ ite = p1; ++ } ++ return ite & (((uint64_t)1U << l) - (uint64_t)1U); ++} ++ ++static inline uint64_t ++Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) ++{ ++ uint64_t c = (uint64_t)0U; ++ for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) { ++ uint64_t t1 = a[(uint32_t)4U * i]; ++ uint64_t t20 = b[(uint32_t)4U * i]; ++ uint64_t *res_i0 = res + (uint32_t)4U * i; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); ++ uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; ++ uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; ++ uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); ++ uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; ++ uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; ++ uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); ++ uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; ++ uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; ++ uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); ++ } ++ for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) { ++ uint64_t t1 = a[i]; ++ uint64_t t2 = b[i]; ++ uint64_t *res_i = res + i; ++ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); ++ } ++ return c; ++} ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __internal_Hacl_Bignum_Base_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h +@@ -0,0 +1,83 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __Hacl_IntTypes_Intrinsics_H ++#define __Hacl_IntTypes_Intrinsics_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++#include "Hacl_Krmllib.h" ++ ++static inline uint32_t ++Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) ++{ ++ uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; ++ uint32_t c = (uint32_t)(res >> (uint32_t)32U); ++ r[0U] = (uint32_t)res; ++ return c; ++} ++ ++static inline uint32_t ++Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) ++{ ++ uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; ++ uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; ++ r[0U] = (uint32_t)res; ++ return c; ++} ++ ++static inline uint64_t ++Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) ++{ ++ uint64_t res = x + cin + y; ++ uint64_t ++ c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; ++ r[0U] = res; ++ return c; ++} ++ ++static inline uint64_t ++Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) ++{ ++ uint64_t res = x - y - cin; ++ uint64_t ++ c = ++ ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; ++ r[0U] = res; ++ return c; ++} ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __Hacl_IntTypes_Intrinsics_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h +@@ -0,0 +1,72 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __Hacl_IntTypes_Intrinsics_128_H ++#define __Hacl_IntTypes_Intrinsics_128_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++#include "Hacl_Krmllib.h" ++ ++static inline uint64_t ++Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) ++{ ++ FStar_UInt128_uint128 ++ res = ++ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), ++ FStar_UInt128_uint64_to_uint128(cin)), ++ FStar_UInt128_uint64_to_uint128(y)); ++ uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); ++ r[0U] = FStar_UInt128_uint128_to_uint64(res); ++ return c; ++} ++ ++static inline uint64_t ++Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) ++{ ++ FStar_UInt128_uint128 ++ res = ++ FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), ++ FStar_UInt128_uint64_to_uint128(y)), ++ FStar_UInt128_uint64_to_uint128(cin)); ++ uint64_t ++ c = ++ FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) & (uint64_t)1U; ++ r[0U] = FStar_UInt128_uint128_to_uint64(res); ++ return c; ++} ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/Hacl_P256.h b/lib/freebl/verified/internal/Hacl_P256.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/Hacl_P256.h +@@ -0,0 +1,56 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __internal_Hacl_P256_H ++#define __internal_Hacl_P256_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++#include "internal/Hacl_P256_PrecompTable.h" ++#include "internal/Hacl_Krmllib.h" ++#include "internal/Hacl_Bignum_Base.h" ++#include "../Hacl_P256.h" ++//#include "lib_intrinsics.h" ++ ++bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key); ++ ++bool ++Hacl_Impl_P256_DH_ecp256dh_r( ++ uint8_t *shared_secret, ++ uint8_t *their_pubkey, ++ uint8_t *private_key); ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __internal_Hacl_P256_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h +@@ -0,0 +1,508 @@ ++/* MIT License ++ * ++ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation ++ * Copyright (c) 2022-2023 HACL* Contributors ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a copy ++ * of this software and associated documentation files (the "Software"), to deal ++ * in the Software without restriction, including without limitation the rights ++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell ++ * copies of the Software, and to permit persons to whom the Software is ++ * furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice shall be included in all ++ * copies or substantial portions of the Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE ++ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, ++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE ++ * SOFTWARE. ++ */ ++ ++#ifndef __internal_Hacl_P256_PrecompTable_H ++#define __internal_Hacl_P256_PrecompTable_H ++ ++#if defined(__cplusplus) ++extern "C" { ++#endif ++ ++#include ++#include "krml/internal/types.h" ++#include "krml/lowstar_endianness.h" ++#include "krml/internal/target.h" ++ ++static const uint64_t ++ Hacl_P256_PrecompTable_precomp_basepoint_table_w4[192U] = { ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, ++ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, ++ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, ++ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, ++ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, ++ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, ++ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, ++ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, ++ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, ++ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, ++ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, ++ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, ++ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, ++ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, ++ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, ++ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, ++ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, ++ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, ++ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, ++ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, ++ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, ++ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, ++ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, ++ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, ++ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, ++ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, ++ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, ++ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, ++ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, ++ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, ++ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, ++ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, ++ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, ++ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, ++ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, ++ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, ++ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, ++ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, ++ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, ++ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, ++ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, ++ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, ++ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, ++ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, ++ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, ++ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, ++ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, ++ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, ++ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, ++ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, ++ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, ++ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, ++ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, ++ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, ++ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, ++ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, ++ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, ++ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, ++ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, ++ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, ++ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, ++ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, ++ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, ++ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, ++ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, ++ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, ++ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, ++ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U ++ }; ++ ++static const uint64_t ++ Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4[192U] = { ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1499621593102562565U, ++ (uint64_t)16692369783039433128U, (uint64_t)15337520135922861848U, ++ (uint64_t)5455737214495366228U, (uint64_t)17827017231032529600U, ++ (uint64_t)12413621606240782649U, (uint64_t)2290483008028286132U, ++ (uint64_t)15752017553340844820U, (uint64_t)4846430910634234874U, ++ (uint64_t)10861682798464583253U, (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U, ++ (uint64_t)9866710912401645115U, (uint64_t)1162548847543228595U, (uint64_t)7649967190445130486U, ++ (uint64_t)5212340432230915749U, (uint64_t)7572620550182916491U, (uint64_t)14876145112448665096U, ++ (uint64_t)2063227348838176167U, (uint64_t)3519435548295415847U, (uint64_t)8390400282019023103U, ++ (uint64_t)17666843593163037841U, (uint64_t)9450204148816496323U, (uint64_t)8483374507652916768U, ++ (uint64_t)6254661047265818424U, (uint64_t)16382127809582285023U, (uint64_t)125359443771153172U, ++ (uint64_t)1374336701588437897U, (uint64_t)11362596098420127726U, (uint64_t)2101654420738681387U, ++ (uint64_t)12772780342444840510U, (uint64_t)12546934328908550060U, ++ (uint64_t)8331880412333790397U, (uint64_t)11687262051473819904U, (uint64_t)8926848496503457587U, ++ (uint64_t)9603974142010467857U, (uint64_t)13199952163826973175U, (uint64_t)2189856264898797734U, ++ (uint64_t)11356074861870267226U, (uint64_t)2027714896422561895U, (uint64_t)5261606367808050149U, ++ (uint64_t)153855954337762312U, (uint64_t)6375919692894573986U, (uint64_t)12364041207536146533U, ++ (uint64_t)1891896010455057160U, (uint64_t)1568123795087313171U, (uint64_t)18138710056556660101U, ++ (uint64_t)6004886947510047736U, (uint64_t)4811859325589542932U, (uint64_t)3618763430148954981U, ++ (uint64_t)11434521746258554122U, (uint64_t)10086341535864049427U, ++ (uint64_t)8073421629570399570U, (uint64_t)12680586148814729338U, (uint64_t)9619958020761569612U, ++ (uint64_t)15827203580658384478U, (uint64_t)12832694810937550406U, ++ (uint64_t)14977975484447400910U, (uint64_t)5478002389061063653U, ++ (uint64_t)14731136312639060880U, (uint64_t)4317867687275472033U, (uint64_t)6642650962855259884U, ++ (uint64_t)2514254944289495285U, (uint64_t)14231405641534478436U, (uint64_t)4045448346091518946U, ++ (uint64_t)8985477013445972471U, (uint64_t)8869039454457032149U, (uint64_t)4356978486208692970U, ++ (uint64_t)10805288613335538577U, (uint64_t)12832353127812502042U, ++ (uint64_t)4576590051676547490U, (uint64_t)6728053735138655107U, (uint64_t)17814206719173206184U, ++ (uint64_t)79790138573994940U, (uint64_t)17920293215101822267U, (uint64_t)13422026625585728864U, ++ (uint64_t)5018058010492547271U, (uint64_t)110232326023384102U, (uint64_t)10834264070056942976U, ++ (uint64_t)15222249086119088588U, (uint64_t)15119439519142044997U, ++ (uint64_t)11655511970063167313U, (uint64_t)1614477029450566107U, (uint64_t)3619322817271059794U, ++ (uint64_t)9352862040415412867U, (uint64_t)14017522553242747074U, ++ (uint64_t)13138513643674040327U, (uint64_t)3610195242889455765U, (uint64_t)8371069193996567291U, ++ (uint64_t)12670227996544662654U, (uint64_t)1205961025092146303U, ++ (uint64_t)13106709934003962112U, (uint64_t)4350113471327723407U, ++ (uint64_t)15060941403739680459U, (uint64_t)13639127647823205030U, ++ (uint64_t)10790943339357725715U, (uint64_t)498760574280648264U, (uint64_t)17922071907832082887U, ++ (uint64_t)15122670976670152145U, (uint64_t)6275027991110214322U, (uint64_t)7250912847491816402U, ++ (uint64_t)15206617260142982380U, (uint64_t)3385668313694152877U, ++ (uint64_t)17522479771766801905U, (uint64_t)2965919117476170655U, (uint64_t)1553238516603269404U, ++ (uint64_t)5820770015631050991U, (uint64_t)4999445222232605348U, (uint64_t)9245650860833717444U, ++ (uint64_t)1508811811724230728U, (uint64_t)5190684913765614385U, (uint64_t)15692927070934536166U, ++ (uint64_t)12981978499190500902U, (uint64_t)5143491963193394698U, (uint64_t)7705698092144084129U, ++ (uint64_t)581120653055084783U, (uint64_t)13886552864486459714U, (uint64_t)6290301270652587255U, ++ (uint64_t)8663431529954393128U, (uint64_t)17033405846475472443U, (uint64_t)5206780355442651635U, ++ (uint64_t)12580364474736467688U, (uint64_t)17934601912005283310U, ++ (uint64_t)15119491731028933652U, (uint64_t)17848231399859044858U, ++ (uint64_t)4427673319524919329U, (uint64_t)2673607337074368008U, (uint64_t)14034876464294699949U, ++ (uint64_t)10938948975420813697U, (uint64_t)15202340615298669183U, ++ (uint64_t)5496603454069431071U, (uint64_t)2486526142064906845U, (uint64_t)4507882119510526802U, ++ (uint64_t)13888151172411390059U, (uint64_t)15049027856908071726U, ++ (uint64_t)9667231543181973158U, (uint64_t)6406671575277563202U, (uint64_t)3395801050331215139U, ++ (uint64_t)9813607433539108308U, (uint64_t)2681417728820980381U, (uint64_t)18407064643927113994U, ++ (uint64_t)7707177692113485527U, (uint64_t)14218149384635317074U, (uint64_t)3658668346206375919U, ++ (uint64_t)15404713991002362166U, (uint64_t)10152074687696195207U, ++ (uint64_t)10926946599582128139U, (uint64_t)16907298600007085320U, ++ (uint64_t)16544287219664720279U, (uint64_t)11007075933432813205U, ++ (uint64_t)8652245965145713599U, (uint64_t)7857626748965990384U, (uint64_t)5602306604520095870U, ++ (uint64_t)2525139243938658618U, (uint64_t)14405696176872077447U, ++ (uint64_t)18432270482137885332U, (uint64_t)9913880809120071177U, ++ (uint64_t)16896141737831216972U, (uint64_t)7484791498211214829U, ++ (uint64_t)15635259968266497469U, (uint64_t)8495118537612215624U, (uint64_t)4915477980562575356U, ++ (uint64_t)16453519279754924350U, (uint64_t)14462108244565406969U, ++ (uint64_t)14837837755237096687U, (uint64_t)14130171078892575346U, ++ (uint64_t)15423793222528491497U, (uint64_t)5460399262075036084U, ++ (uint64_t)16085440580308415349U, (uint64_t)26873200736954488U, (uint64_t)5603655807457499550U, ++ (uint64_t)3342202915871129617U, (uint64_t)1604413932150236626U, (uint64_t)9684226585089458974U, ++ (uint64_t)1213229904006618539U, (uint64_t)6782978662408837236U, (uint64_t)11197029877749307372U, ++ (uint64_t)14085968786551657744U, (uint64_t)17352273610494009342U, ++ (uint64_t)7876582961192434984U ++ }; ++ ++static const uint64_t ++ Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4[192U] = { ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)14619254753077084366U, ++ (uint64_t)13913835116514008593U, (uint64_t)15060744674088488145U, ++ (uint64_t)17668414598203068685U, (uint64_t)10761169236902342334U, ++ (uint64_t)15467027479157446221U, (uint64_t)14989185522423469618U, ++ (uint64_t)14354539272510107003U, (uint64_t)14298211796392133693U, ++ (uint64_t)13270323784253711450U, (uint64_t)13380964971965046957U, ++ (uint64_t)8686204248456909699U, (uint64_t)17434630286744937066U, (uint64_t)1355903775279084720U, ++ (uint64_t)7554695053550308662U, (uint64_t)11354971222741863570U, (uint64_t)564601613420749879U, ++ (uint64_t)8466325837259054896U, (uint64_t)10752965181772434263U, ++ (uint64_t)11405876547368426319U, (uint64_t)13791894568738930940U, ++ (uint64_t)8230587134406354675U, (uint64_t)12415514098722758608U, ++ (uint64_t)18414183046995786744U, (uint64_t)15508000368227372870U, ++ (uint64_t)5781062464627999307U, (uint64_t)15339429052219195590U, ++ (uint64_t)16038703753810741903U, (uint64_t)9587718938298980714U, (uint64_t)4822658817952386407U, ++ (uint64_t)1376351024833260660U, (uint64_t)1120174910554766702U, (uint64_t)1730170933262569274U, ++ (uint64_t)5187428548444533500U, (uint64_t)16242053503368957131U, (uint64_t)3036811119519868279U, ++ (uint64_t)1760267587958926638U, (uint64_t)170244572981065185U, (uint64_t)8063080791967388171U, ++ (uint64_t)4824892826607692737U, (uint64_t)16286391083472040552U, ++ (uint64_t)11945158615253358747U, (uint64_t)14096887760410224200U, ++ (uint64_t)1613720831904557039U, (uint64_t)14316966673761197523U, ++ (uint64_t)17411006201485445341U, (uint64_t)8112301506943158801U, (uint64_t)2069889233927989984U, ++ (uint64_t)10082848378277483927U, (uint64_t)3609691194454404430U, (uint64_t)6110437205371933689U, ++ (uint64_t)9769135977342231601U, (uint64_t)11977962151783386478U, ++ (uint64_t)18088718692559983573U, (uint64_t)11741637975753055U, (uint64_t)11110390325701582190U, ++ (uint64_t)1341402251566067019U, (uint64_t)3028229550849726478U, (uint64_t)10438984083997451310U, ++ (uint64_t)12730851885100145709U, (uint64_t)11524169532089894189U, ++ (uint64_t)4523375903229602674U, (uint64_t)2028602258037385622U, (uint64_t)17082839063089388410U, ++ (uint64_t)6103921364634113167U, (uint64_t)17066180888225306102U, ++ (uint64_t)11395680486707876195U, (uint64_t)10952892272443345484U, ++ (uint64_t)8792831960605859401U, (uint64_t)14194485427742325139U, ++ (uint64_t)15146020821144305250U, (uint64_t)1654766014957123343U, (uint64_t)7955526243090948551U, ++ (uint64_t)3989277566080493308U, (uint64_t)12229385116397931231U, ++ (uint64_t)13430548930727025562U, (uint64_t)3434892688179800602U, (uint64_t)8431998794645622027U, ++ (uint64_t)12132530981596299272U, (uint64_t)2289461608863966999U, ++ (uint64_t)18345870950201487179U, (uint64_t)13517947207801901576U, ++ (uint64_t)5213113244172561159U, (uint64_t)17632986594098340879U, (uint64_t)4405251818133148856U, ++ (uint64_t)11783009269435447793U, (uint64_t)9332138983770046035U, ++ (uint64_t)12863411548922539505U, (uint64_t)3717030292816178224U, ++ (uint64_t)10026078446427137374U, (uint64_t)11167295326594317220U, ++ (uint64_t)12425328773141588668U, (uint64_t)5760335125172049352U, (uint64_t)9016843701117277863U, ++ (uint64_t)5657892835694680172U, (uint64_t)11025130589305387464U, (uint64_t)1368484957977406173U, ++ (uint64_t)17361351345281258834U, (uint64_t)1907113641956152700U, ++ (uint64_t)16439233413531427752U, (uint64_t)5893322296986588932U, ++ (uint64_t)14000206906171746627U, (uint64_t)14979266987545792900U, ++ (uint64_t)6926291766898221120U, (uint64_t)7162023296083360752U, (uint64_t)14762747553625382529U, ++ (uint64_t)12610831658612406849U, (uint64_t)10462926899548715515U, ++ (uint64_t)4794017723140405312U, (uint64_t)5234438200490163319U, (uint64_t)8019519110339576320U, ++ (uint64_t)7194604241290530100U, (uint64_t)12626770134810813246U, ++ (uint64_t)10793074474236419890U, (uint64_t)11323224347913978783U, ++ (uint64_t)16831128015895380245U, (uint64_t)18323094195124693378U, ++ (uint64_t)2361097165281567692U, (uint64_t)15755578675014279498U, ++ (uint64_t)14289876470325854580U, (uint64_t)12856787656093616839U, ++ (uint64_t)3578928531243900594U, (uint64_t)3847532758790503699U, (uint64_t)8377953190224748743U, ++ (uint64_t)3314546646092744596U, (uint64_t)800810188859334358U, (uint64_t)4626344124229343596U, ++ (uint64_t)6620381605850876621U, (uint64_t)11422073570955989527U, ++ (uint64_t)12676813626484814469U, (uint64_t)16725029886764122240U, ++ (uint64_t)16648497372773830008U, (uint64_t)9135702594931291048U, ++ (uint64_t)16080949688826680333U, (uint64_t)11528096561346602947U, ++ (uint64_t)2632498067099740984U, (uint64_t)11583842699108800714U, (uint64_t)8378404864573610526U, ++ (uint64_t)1076560261627788534U, (uint64_t)13836015994325032828U, ++ (uint64_t)11234295937817067909U, (uint64_t)5893659808396722708U, ++ (uint64_t)11277421142886984364U, (uint64_t)8968549037166726491U, ++ (uint64_t)14841374331394032822U, (uint64_t)9967344773947889341U, (uint64_t)8799244393578496085U, ++ (uint64_t)5094686877301601410U, (uint64_t)8780316747074726862U, (uint64_t)9119697306829835718U, ++ (uint64_t)15381243327921855368U, (uint64_t)2686250164449435196U, ++ (uint64_t)16466917280442198358U, (uint64_t)13791704489163125216U, ++ (uint64_t)16955859337117924272U, (uint64_t)17112836394923783642U, ++ (uint64_t)4639176427338618063U, (uint64_t)16770029310141094964U, ++ (uint64_t)11049953922966416185U, (uint64_t)12012669590884098968U, ++ (uint64_t)4859326885929417214U, (uint64_t)896380084392586061U, (uint64_t)7153028362977034008U, ++ (uint64_t)10540021163316263301U, (uint64_t)9318277998512936585U, ++ (uint64_t)18344496977694796523U, (uint64_t)11374737400567645494U, ++ (uint64_t)17158800051138212954U, (uint64_t)18343197867863253153U, ++ (uint64_t)18204799297967861226U, (uint64_t)15798973531606348828U, ++ (uint64_t)9870158263408310459U, (uint64_t)17578869832774612627U, (uint64_t)8395748875822696932U, ++ (uint64_t)15310679007370670872U, (uint64_t)11205576736030808860U, ++ (uint64_t)10123429210002838967U, (uint64_t)5910544144088393959U, ++ (uint64_t)14016615653353687369U, (uint64_t)11191676704772957822U ++ }; ++ ++static const uint64_t ++ Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4[192U] = { ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)7870395003430845958U, ++ (uint64_t)18001862936410067720U, (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, ++ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, (uint64_t)7139806720777708306U, ++ (uint64_t)8253938546650739833U, (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, ++ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U, (uint64_t)8392845221328116213U, ++ (uint64_t)14630296398338540788U, (uint64_t)4268947906723414372U, (uint64_t)9231207002243517909U, ++ (uint64_t)14261219637616504262U, (uint64_t)7786881626982345356U, ++ (uint64_t)11412720751765882139U, (uint64_t)14119585051365330009U, ++ (uint64_t)15281626286521302128U, (uint64_t)6350171933454266732U, ++ (uint64_t)16559468304937127866U, (uint64_t)13200760478271693417U, ++ (uint64_t)6733381546280350776U, (uint64_t)3801404890075189193U, (uint64_t)2741036364686993903U, ++ (uint64_t)3218612940540174008U, (uint64_t)10894914335165419505U, ++ (uint64_t)11862941430149998362U, (uint64_t)4223151729402839584U, (uint64_t)2913215088487087887U, ++ (uint64_t)14562168920104952953U, (uint64_t)2170089393468287453U, ++ (uint64_t)10520900655016579352U, (uint64_t)7040362608949989273U, (uint64_t)8376510559381705307U, ++ (uint64_t)9142237200448131532U, (uint64_t)5696859948123854080U, (uint64_t)925422306716081180U, ++ (uint64_t)11155545953469186421U, (uint64_t)1888208646862572812U, ++ (uint64_t)11151095998248845721U, (uint64_t)15793503271680275267U, ++ (uint64_t)7729877044494854851U, (uint64_t)6235134673193032913U, (uint64_t)7364280682182401564U, ++ (uint64_t)5479679373325519985U, (uint64_t)17966037684582301763U, ++ (uint64_t)14140891609330279185U, (uint64_t)5814744449740463867U, (uint64_t)5652588426712591652U, ++ (uint64_t)774745682988690912U, (uint64_t)13228255573220500373U, (uint64_t)11949122068786859397U, ++ (uint64_t)8021166392900770376U, (uint64_t)7994323710948720063U, (uint64_t)9924618472877849977U, ++ (uint64_t)17618517523141194266U, (uint64_t)2750424097794401714U, ++ (uint64_t)15481749570715253207U, (uint64_t)14646964509921760497U, ++ (uint64_t)1037442848094301355U, (uint64_t)6295995947389299132U, (uint64_t)16915049722317579514U, ++ (uint64_t)10493877400992990313U, (uint64_t)18391008753060553521U, (uint64_t)483942209623707598U, ++ (uint64_t)2017775662838016613U, (uint64_t)5933251998459363553U, (uint64_t)11789135019970707407U, ++ (uint64_t)5484123723153268336U, (uint64_t)13246954648848484954U, (uint64_t)4774374393926023505U, ++ (uint64_t)14863995618704457336U, (uint64_t)13220153167104973625U, ++ (uint64_t)5988445485312390826U, (uint64_t)17580359464028944682U, (uint64_t)7297100131969874771U, ++ (uint64_t)379931507867989375U, (uint64_t)10927113096513421444U, (uint64_t)17688881974428340857U, ++ (uint64_t)4259872578781463333U, (uint64_t)8573076295966784472U, (uint64_t)16389829450727275032U, ++ (uint64_t)1667243868963568259U, (uint64_t)17730726848925960919U, ++ (uint64_t)11408899874569778008U, (uint64_t)3576527582023272268U, ++ (uint64_t)16492920640224231656U, (uint64_t)7906130545972460130U, ++ (uint64_t)13878604278207681266U, (uint64_t)41446695125652041U, (uint64_t)8891615271337333503U, ++ (uint64_t)2594537723613594470U, (uint64_t)7699579176995770924U, (uint64_t)147458463055730655U, ++ (uint64_t)12120406862739088406U, (uint64_t)12044892493010567063U, ++ (uint64_t)8554076749615475136U, (uint64_t)1005097692260929999U, (uint64_t)2687202654471188715U, ++ (uint64_t)9457588752176879209U, (uint64_t)17472884880062444019U, (uint64_t)9792097892056020166U, ++ (uint64_t)2525246678512797150U, (uint64_t)15958903035313115662U, ++ (uint64_t)11336038170342247032U, (uint64_t)11560342382835141123U, ++ (uint64_t)6212009033479929024U, (uint64_t)8214308203775021229U, (uint64_t)8475469210070503698U, ++ (uint64_t)13287024123485719563U, (uint64_t)12956951963817520723U, ++ (uint64_t)10693035819908470465U, (uint64_t)11375478788224786725U, ++ (uint64_t)16934625208487120398U, (uint64_t)10094585729115874495U, ++ (uint64_t)2763884524395905776U, (uint64_t)13535890148969964883U, ++ (uint64_t)13514657411765064358U, (uint64_t)9903074440788027562U, ++ (uint64_t)17324720726421199990U, (uint64_t)2273931039117368789U, (uint64_t)3442641041506157854U, ++ (uint64_t)1119853641236409612U, (uint64_t)12037070344296077989U, (uint64_t)581736433335671746U, ++ (uint64_t)6019150647054369174U, (uint64_t)14864096138068789375U, (uint64_t)6652995210998318662U, ++ (uint64_t)12773883697029175304U, (uint64_t)12751275631451845119U, ++ (uint64_t)11449095003038250478U, (uint64_t)1025805267334366480U, (uint64_t)2764432500300815015U, ++ (uint64_t)18274564429002844381U, (uint64_t)10445634195592600351U, ++ (uint64_t)11814099592837202735U, (uint64_t)5006796893679120289U, (uint64_t)6908397253997261914U, ++ (uint64_t)13266696965302879279U, (uint64_t)7768715053015037430U, (uint64_t)3569923738654785686U, ++ (uint64_t)5844853453464857549U, (uint64_t)1837340805629559110U, (uint64_t)1034657624388283114U, ++ (uint64_t)711244516069456460U, (uint64_t)12519286026957934814U, (uint64_t)2613464944620837619U, ++ (uint64_t)10003023321338286213U, (uint64_t)7291332092642881376U, (uint64_t)9832199564117004897U, ++ (uint64_t)3280736694860799890U, (uint64_t)6416452202849179874U, (uint64_t)7326961381798642069U, ++ (uint64_t)8435688798040635029U, (uint64_t)16630141263910982958U, ++ (uint64_t)17222635514422533318U, (uint64_t)9482787389178881499U, (uint64_t)836561194658263905U, ++ (uint64_t)3405319043337616649U, (uint64_t)2786146577568026518U, (uint64_t)7625483685691626321U, ++ (uint64_t)6728084875304656716U, (uint64_t)1140997959232544268U, (uint64_t)12847384827606303792U, ++ (uint64_t)1719121337754572070U, (uint64_t)12863589482936438532U, (uint64_t)3880712899640530862U, ++ (uint64_t)2748456882813671564U, (uint64_t)4775988900044623019U, (uint64_t)8937847374382191162U, ++ (uint64_t)3767367347172252295U, (uint64_t)13468672401049388646U, ++ (uint64_t)14359032216842397576U, (uint64_t)2002555958685443975U, ++ (uint64_t)16488678606651526810U, (uint64_t)11826135409597474760U, ++ (uint64_t)15296495673182508601U ++ }; ++ ++static const uint64_t ++ Hacl_P256_PrecompTable_precomp_basepoint_table_w5[384U] = { ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, ++ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, ++ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, ++ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, ++ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, ++ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, ++ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, ++ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, ++ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, ++ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, ++ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, ++ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, ++ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, ++ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, ++ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, ++ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, ++ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, ++ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, ++ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, ++ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, ++ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, ++ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, ++ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, ++ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, ++ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, ++ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, ++ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, ++ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, ++ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, ++ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, ++ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, ++ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, ++ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, ++ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, ++ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, ++ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, ++ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, ++ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, ++ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, ++ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, ++ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, ++ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, ++ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, ++ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, ++ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, ++ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, ++ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, ++ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, ++ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, ++ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, ++ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, ++ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, ++ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, ++ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, ++ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, ++ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, ++ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, ++ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, ++ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, ++ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, ++ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, ++ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, ++ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, ++ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, ++ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, ++ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, ++ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, ++ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, ++ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, ++ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U, ++ (uint64_t)13240193491554624643U, (uint64_t)12365034249541329920U, ++ (uint64_t)2924326828590977357U, (uint64_t)5687195797140589099U, (uint64_t)16880427227292834531U, ++ (uint64_t)9691471435758991112U, (uint64_t)16642385273732487288U, ++ (uint64_t)12173806747523009914U, (uint64_t)13142722756877876849U, ++ (uint64_t)8370377548305121979U, (uint64_t)17988526053752025426U, (uint64_t)4818750752684100334U, ++ (uint64_t)5669241919350361655U, (uint64_t)4964810303238518540U, (uint64_t)16709712747671533191U, ++ (uint64_t)4461414404267448242U, (uint64_t)3971798785139504238U, (uint64_t)6276818948740422136U, ++ (uint64_t)1426735892164275762U, (uint64_t)7943622674892418919U, (uint64_t)9864274225563929680U, ++ (uint64_t)57815533745003233U, (uint64_t)10893588105168960233U, (uint64_t)15739162732907069535U, ++ (uint64_t)3923866849462073470U, (uint64_t)12279826158399226875U, (uint64_t)1533015761334846582U, ++ (uint64_t)15860156818568437510U, (uint64_t)8252625373831297988U, (uint64_t)9666953804812706358U, ++ (uint64_t)8767785238646914634U, (uint64_t)14382179044941403551U, ++ (uint64_t)10401039907264254245U, (uint64_t)8584860003763157350U, (uint64_t)3120462679504470266U, ++ (uint64_t)8670255778748340069U, (uint64_t)5313789577940369984U, (uint64_t)16977072364454789224U, ++ (uint64_t)12199578693972188324U, (uint64_t)18211098771672599237U, ++ (uint64_t)12868831556008795030U, (uint64_t)5310155061431048194U, ++ (uint64_t)18114153238435112606U, (uint64_t)14482365809278304512U, ++ (uint64_t)12520721662723001511U, (uint64_t)405943624021143002U, (uint64_t)8146944101507657423U, ++ (uint64_t)181739317780393495U, (uint64_t)81743892273670099U, (uint64_t)14759561962550473930U, ++ (uint64_t)4592623849546992939U, (uint64_t)6916440441743449719U, (uint64_t)1304610503530809833U, ++ (uint64_t)5464930909232486441U, (uint64_t)15414883617496224671U, (uint64_t)8129283345256790U, ++ (uint64_t)18294252198413739489U, (uint64_t)17394115281884857288U, ++ (uint64_t)7808348415224731235U, (uint64_t)13195566655747230608U, (uint64_t)8568194219353949094U, ++ (uint64_t)15329813048672122440U, (uint64_t)9604275495885785744U, (uint64_t)1577712551205219835U, ++ (uint64_t)15964209008022052790U, (uint64_t)15087297920782098160U, ++ (uint64_t)3946031512438511898U, (uint64_t)10050061168984440631U, ++ (uint64_t)11382452014533138316U, (uint64_t)6313670788911952792U, ++ (uint64_t)12015989229696164014U, (uint64_t)5946702628076168852U, (uint64_t)5219995658774362841U, ++ (uint64_t)12230141881068377972U, (uint64_t)12361195202673441956U, ++ (uint64_t)4732862275653856711U, (uint64_t)17221430380805252370U, ++ (uint64_t)15397525953897375810U, (uint64_t)16557437297239563045U, ++ (uint64_t)10101683801868971351U, (uint64_t)1402611372245592868U, (uint64_t)1931806383735563658U, ++ (uint64_t)10991705207471512479U, (uint64_t)861333583207471392U, (uint64_t)15207766844626322355U, ++ (uint64_t)9224628129811432393U, (uint64_t)3497069567089055613U, (uint64_t)11956632757898590316U, ++ (uint64_t)8733729372586312960U, (uint64_t)18091521051714930927U, (uint64_t)77582787724373283U, ++ (uint64_t)9922437373519669237U, (uint64_t)3079321456325704615U, (uint64_t)12171198408512478457U, ++ (uint64_t)17179130884012147596U, (uint64_t)6839115479620367181U, (uint64_t)4421032569964105406U, ++ (uint64_t)10353331468657256053U, (uint64_t)17400988720335968824U, ++ (uint64_t)17138855889417480540U, (uint64_t)4507980080381370611U, ++ (uint64_t)10703175719793781886U, (uint64_t)12598516658725890426U, ++ (uint64_t)8353463412173898932U, (uint64_t)17703029389228422404U, (uint64_t)9313111267107226233U, ++ (uint64_t)5441322942995154196U, (uint64_t)8952817660034465484U, (uint64_t)17571113341183703118U, ++ (uint64_t)7375087953801067019U, (uint64_t)13381466302076453648U, (uint64_t)3218165271423914596U, ++ (uint64_t)16956372157249382685U, (uint64_t)509080090049418841U, (uint64_t)13374233893294084913U, ++ (uint64_t)2988537624204297086U, (uint64_t)4979195832939384620U, (uint64_t)3803931594068976394U, ++ (uint64_t)10731535883829627646U, (uint64_t)12954845047607194278U, ++ (uint64_t)10494298062560667399U, (uint64_t)4967351022190213065U, ++ (uint64_t)13391917938145756456U, (uint64_t)951370484866918160U, (uint64_t)13531334179067685307U, ++ (uint64_t)12868421357919390599U, (uint64_t)15918857042998130258U, ++ (uint64_t)17769743831936974016U, (uint64_t)7137921979260368809U, ++ (uint64_t)12461369180685892062U, (uint64_t)827476514081935199U, (uint64_t)15107282134224767230U, ++ (uint64_t)10084765752802805748U, (uint64_t)3303739059392464407U, ++ (uint64_t)17859532612136591428U, (uint64_t)10949414770405040164U, ++ (uint64_t)12838613589371008785U, (uint64_t)5554397169231540728U, ++ (uint64_t)18375114572169624408U, (uint64_t)15649286703242390139U, ++ (uint64_t)2957281557463706877U, (uint64_t)14000350446219393213U, ++ (uint64_t)14355199721749620351U, (uint64_t)2730856240099299695U, ++ (uint64_t)17528131000714705752U, (uint64_t)2537498525883536360U, (uint64_t)6121058967084509393U, ++ (uint64_t)16897667060435514221U, (uint64_t)12367869599571112440U, ++ (uint64_t)3388831797050807508U, (uint64_t)16791449724090982798U, (uint64_t)2673426123453294928U, ++ (uint64_t)11369313542384405846U, (uint64_t)15641960333586432634U, ++ (uint64_t)15080962589658958379U, (uint64_t)7747943772340226569U, (uint64_t)8075023376199159152U, ++ (uint64_t)8485093027378306528U, (uint64_t)13503706844122243648U, (uint64_t)8401961362938086226U, ++ (uint64_t)8125426002124226402U, (uint64_t)9005399361407785203U, (uint64_t)6847968030066906634U, ++ (uint64_t)11934937736309295197U, (uint64_t)5116750888594772351U, (uint64_t)2817039227179245227U, ++ (uint64_t)17724206901239332980U, (uint64_t)4985702708254058578U, (uint64_t)5786345435756642871U, ++ (uint64_t)17772527414940936938U, (uint64_t)1201320251272957006U, ++ (uint64_t)15787430120324348129U, (uint64_t)6305488781359965661U, ++ (uint64_t)12423900845502858433U, (uint64_t)17485949424202277720U, ++ (uint64_t)2062237315546855852U, (uint64_t)10353639467860902375U, (uint64_t)2315398490451287299U, ++ (uint64_t)15394572894814882621U, (uint64_t)232866113801165640U, (uint64_t)7413443736109338926U, ++ (uint64_t)902719806551551191U, (uint64_t)16568853118619045174U, (uint64_t)14202214862428279177U, ++ (uint64_t)11719595395278861192U, (uint64_t)5890053236389907647U, (uint64_t)9996196494965833627U, ++ (uint64_t)12967056942364782577U, (uint64_t)9034128755157395787U, ++ (uint64_t)17898204904710512655U, (uint64_t)8229373445062993977U, ++ (uint64_t)13580036169519833644U ++ }; ++ ++#if defined(__cplusplus) ++} ++#endif ++ ++#define __internal_Hacl_P256_PrecompTable_H_DEFINED ++#endif +diff --git a/lib/freebl/verified/internal/lib_intrinsics.h b/lib/freebl/verified/internal/lib_intrinsics.h +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/verified/internal/lib_intrinsics.h +@@ -0,0 +1,81 @@ ++#pragma once ++ ++#include ++ ++#if defined(__has_include) ++#if __has_include("config.h") ++#include "config.h" ++#endif ++#endif ++ ++#if !defined(HACL_CAN_COMPILE_INTRINSICS) || \ ++ (defined(__clang__) && (__clang_major__ < 5)) ++ ++#include "Hacl_IntTypes_Intrinsics.h" ++ ++#if defined(HACL_CAN_COMPILE_UINT128) ++ ++#include "Hacl_IntTypes_Intrinsics_128.h" ++ ++#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) ++ ++#else ++ ++#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) ++ ++#endif // defined(HACL_CAN_COMPILE_UINT128) ++ ++#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ ++ (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) ++ ++#else // !defined(HACL_CAN_COMPILE_INTRINSICS) ++ ++#if defined(_MSC_VER) ++#include ++#else ++#include ++#endif ++ ++#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ ++ (_addcarry_u32(x1, x2, x3, (unsigned int *)x4)) ++ ++#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ ++ (_addcarry_u64(x1, x2, x3, (long long unsigned int *)x4)) ++ ++/* ++ GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} ++ in an incorrect order. ++ ++ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 ++*/ ++#if defined(__GNUC__) && !defined(__clang__) && \ ++ (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ ++ (_subborrow_u32(x1, x3, x2, (unsigned int *)x4)) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ ++ (_subborrow_u64(x1, x3, x2, (long long unsigned int *)x4)) ++ ++#else ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ ++ (_subborrow_u32(x1, x2, x3, (unsigned int *)x4)) ++ ++#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ ++ (_subborrow_u64(x1, x2, x3, (long long unsigned int *)x4)) ++ ++#endif // GCC < 7.2 ++ ++#endif // !HACL_CAN_COMPILE_INTRINSICS +diff --git a/lib/freebl/verified/karamel/include/krml/internal/target.h b/lib/freebl/verified/karamel/include/krml/internal/target.h +--- a/lib/freebl/verified/karamel/include/krml/internal/target.h ++++ b/lib/freebl/verified/karamel/include/krml/internal/target.h +@@ -1,21 +1,21 @@ + /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 License. */ + + #ifndef __KRML_TARGET_H + #define __KRML_TARGET_H + +-#include ++#include ++#include ++#include ++#include + #include + #include +-#include +-#include +-#include +-#include ++#include + + /* Since KaRaMeL emits the inline keyword unconditionally, we follow the + * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this + * __inline__ to ensure the code compiles with -std=c90 and earlier. */ + #ifdef __GNUC__ + #define inline __inline__ + #endif + +@@ -52,16 +52,29 @@ + #ifndef KRML_HOST_FREE + #define KRML_HOST_FREE free + #endif + + #ifndef KRML_HOST_IGNORE + #define KRML_HOST_IGNORE(x) (void)(x) + #endif + ++#ifndef KRML_NOINLINE ++#if defined(_MSC_VER) ++#define KRML_NOINLINE __declspec(noinline) ++#elif defined(__GNUC__) ++#define KRML_NOINLINE __attribute__((noinline)) ++#else ++#define KRML_NOINLINE ++#warning "The KRML_NOINLINE macro is not defined for this toolchain!" ++#warning "The compiler may defeat side-channel resistance with optimizations." ++#warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." ++#endif ++#endif ++ + #ifndef KRML_PRE_ALIGN + #ifdef _MSC_VER + #define KRML_PRE_ALIGN(X) __declspec(align(X)) + #else + #define KRML_PRE_ALIGN(X) + #endif + #endif + +@@ -75,32 +88,36 @@ + + /* MinGW-W64 does not support C11 aligned_alloc, but it supports + * MSVC's _aligned_malloc. + */ + #ifndef KRML_ALIGNED_MALLOC + #ifdef __MINGW32__ + #include <_mingw.h> + #endif +-#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) ++#if ( \ ++ defined(_MSC_VER) || \ ++ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) + #define KRML_ALIGNED_MALLOC(X, Y) _aligned_malloc(Y, X) + #else + #define KRML_ALIGNED_MALLOC(X, Y) aligned_alloc(X, Y) + #endif + #endif + + /* Since aligned allocations with MinGW-W64 are done with + * _aligned_malloc (see above), such pointers must be freed with + * _aligned_free. + */ + #ifndef KRML_ALIGNED_FREE + #ifdef __MINGW32__ + #include <_mingw.h> + #endif +-#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) ++#if ( \ ++ defined(_MSC_VER) || \ ++ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) + #define KRML_ALIGNED_FREE(X) _aligned_free(X) + #else + #define KRML_ALIGNED_FREE(X) free(X) + #endif + #endif + + #ifndef KRML_HOST_TIME + +@@ -148,17 +165,18 @@ krml_time(void) + "Maximum allocatable size exceeded, aborting before overflow at " \ + "%s:%d\n", \ + __FILE__, __LINE__); \ + KRML_HOST_EXIT(253); \ + } \ + } while (0) + + #if defined(_MSC_VER) && _MSC_VER < 1900 +-#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) ++#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) \ ++ _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) + #else + #define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) + #endif + + #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 4)) + #define KRML_DEPRECATED(x) __attribute__((deprecated(x))) + #elif defined(__GNUC__) + /* deprecated attribute is not defined in GCC < 4.5. */ +@@ -167,16 +185,17 @@ krml_time(void) + #define KRML_DEPRECATED(x) __declspec(deprecated(x)) + #endif + + /* Macros for prettier unrolling of loops */ + #define KRML_LOOP1(i, n, x) \ + { \ + x \ + i += n; \ ++ (void)i; \ + } + + #define KRML_LOOP2(i, n, x) \ + KRML_LOOP1(i, n, x) \ + KRML_LOOP1(i, n, x) + + #define KRML_LOOP3(i, n, x) \ + KRML_LOOP2(i, n, x) \ +diff --git a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +--- a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h ++++ b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h +@@ -8,25 +8,35 @@ + + #include + #include + #include "krml/internal/compat.h" + #include "krml/lowstar_endianness.h" + #include "krml/internal/types.h" + #include "krml/internal/target.h" + +-extern Prims_int FStar_UInt64_n; ++#if defined(__clang__) ++#pragma clang diagnostic push ++#pragma clang diagnostic ignored "-Wunused-function" ++#endif ++ ++#if defined(__GNUC__) ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wunused-function" ++#endif ++ ++extern krml_checked_int_t FStar_UInt64_n; + + extern bool FStar_UInt64_uu___is_Mk(uint64_t projectee); + +-extern Prims_int FStar_UInt64___proj__Mk__item__v(uint64_t projectee); ++extern krml_checked_int_t FStar_UInt64___proj__Mk__item__v(uint64_t projectee); + +-extern Prims_int FStar_UInt64_v(uint64_t x); ++extern krml_checked_int_t FStar_UInt64_v(uint64_t x); + +-extern uint64_t FStar_UInt64_uint_to_t(Prims_int x); ++extern uint64_t FStar_UInt64_uint_to_t(krml_checked_int_t x); + + extern uint64_t FStar_UInt64_zero; + + extern uint64_t FStar_UInt64_one; + + extern uint64_t FStar_UInt64_minus(uint64_t a); + + extern uint32_t FStar_UInt64_n_minus_one; +@@ -58,25 +68,25 @@ FStar_UInt64_gte_mask(uint64_t a, uint64 + extern Prims_string FStar_UInt64_to_string(uint64_t uu___); + + extern Prims_string FStar_UInt64_to_string_hex(uint64_t uu___); + + extern Prims_string FStar_UInt64_to_string_hex_pad(uint64_t uu___); + + extern uint64_t FStar_UInt64_of_string(Prims_string uu___); + +-extern Prims_int FStar_UInt32_n; ++extern krml_checked_int_t FStar_UInt32_n; + + extern bool FStar_UInt32_uu___is_Mk(uint32_t projectee); + +-extern Prims_int FStar_UInt32___proj__Mk__item__v(uint32_t projectee); ++extern krml_checked_int_t FStar_UInt32___proj__Mk__item__v(uint32_t projectee); + +-extern Prims_int FStar_UInt32_v(uint32_t x); ++extern krml_checked_int_t FStar_UInt32_v(uint32_t x); + +-extern uint32_t FStar_UInt32_uint_to_t(Prims_int x); ++extern uint32_t FStar_UInt32_uint_to_t(krml_checked_int_t x); + + extern uint32_t FStar_UInt32_zero; + + extern uint32_t FStar_UInt32_one; + + extern uint32_t FStar_UInt32_minus(uint32_t a); + + extern uint32_t FStar_UInt32_n_minus_one; +@@ -108,25 +118,25 @@ FStar_UInt32_gte_mask(uint32_t a, uint32 + extern Prims_string FStar_UInt32_to_string(uint32_t uu___); + + extern Prims_string FStar_UInt32_to_string_hex(uint32_t uu___); + + extern Prims_string FStar_UInt32_to_string_hex_pad(uint32_t uu___); + + extern uint32_t FStar_UInt32_of_string(Prims_string uu___); + +-extern Prims_int FStar_UInt16_n; ++extern krml_checked_int_t FStar_UInt16_n; + + extern bool FStar_UInt16_uu___is_Mk(uint16_t projectee); + +-extern Prims_int FStar_UInt16___proj__Mk__item__v(uint16_t projectee); ++extern krml_checked_int_t FStar_UInt16___proj__Mk__item__v(uint16_t projectee); + +-extern Prims_int FStar_UInt16_v(uint16_t x); ++extern krml_checked_int_t FStar_UInt16_v(uint16_t x); + +-extern uint16_t FStar_UInt16_uint_to_t(Prims_int x); ++extern uint16_t FStar_UInt16_uint_to_t(krml_checked_int_t x); + + extern uint16_t FStar_UInt16_zero; + + extern uint16_t FStar_UInt16_one; + + extern uint16_t FStar_UInt16_minus(uint16_t a); + + extern uint32_t FStar_UInt16_n_minus_one; +@@ -158,25 +168,25 @@ FStar_UInt16_gte_mask(uint16_t a, uint16 + extern Prims_string FStar_UInt16_to_string(uint16_t uu___); + + extern Prims_string FStar_UInt16_to_string_hex(uint16_t uu___); + + extern Prims_string FStar_UInt16_to_string_hex_pad(uint16_t uu___); + + extern uint16_t FStar_UInt16_of_string(Prims_string uu___); + +-extern Prims_int FStar_UInt8_n; ++extern krml_checked_int_t FStar_UInt8_n; + + extern bool FStar_UInt8_uu___is_Mk(uint8_t projectee); + +-extern Prims_int FStar_UInt8___proj__Mk__item__v(uint8_t projectee); ++extern krml_checked_int_t FStar_UInt8___proj__Mk__item__v(uint8_t projectee); + +-extern Prims_int FStar_UInt8_v(uint8_t x); ++extern krml_checked_int_t FStar_UInt8_v(uint8_t x); + +-extern uint8_t FStar_UInt8_uint_to_t(Prims_int x); ++extern uint8_t FStar_UInt8_uint_to_t(krml_checked_int_t x); + + extern uint8_t FStar_UInt8_zero; + + extern uint8_t FStar_UInt8_one; + + extern uint8_t FStar_UInt8_minus(uint8_t a); + + extern uint32_t FStar_UInt8_n_minus_one; +@@ -210,10 +220,18 @@ extern Prims_string FStar_UInt8_to_strin + extern Prims_string FStar_UInt8_to_string_hex(uint8_t uu___); + + extern Prims_string FStar_UInt8_to_string_hex_pad(uint8_t uu___); + + extern uint8_t FStar_UInt8_of_string(Prims_string uu___); + + typedef uint8_t FStar_UInt8_byte; + ++#if defined(__clang__) ++#pragma clang diagnostic pop ++#endif ++ ++#if defined(__GNUC__) ++#pragma GCC diagnostic pop ++#endif ++ + #define __FStar_UInt_8_16_32_64_H_DEFINED + #endif + diff --git a/nss.spec b/nss.spec index 9bbcd89..3a06abd 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -135,6 +135,8 @@ Patch40: nss-no-dbm-man-page.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch +# NSS reversion patchtes +Patch300: nss-3.94-HACL-p256.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -297,6 +299,7 @@ popd pushd nss %autopatch -p1 -M 99 +%patch -P 300 -R -p1 popd # https://bugzilla.redhat.com/show_bug.cgi?id=1247353 @@ -1085,6 +1088,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Oct 25 2023 Frantisek Krenzelok - 3.94.0-2 +- revert HACL 256 code to fix binary compatibility issue. + * Wed Oct 4 2023 Frantisek Krenzelok - 3.94.0-1 - Update NSS to 3.94.0 From b40f26ee7153b3255181bd8d82337e33d2550edf Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Wed, 25 Oct 2023 15:23:29 -0700 Subject: [PATCH 27/28] Revert didn't even build, build with the actual fix. --- nss-3.94-HACL-p256.patch | 4306 -------------------------------- nss-3.94-fix-ec-encoding.patch | 107 + nss.spec | 6 +- 3 files changed, 109 insertions(+), 4310 deletions(-) delete mode 100644 nss-3.94-HACL-p256.patch create mode 100644 nss-3.94-fix-ec-encoding.patch diff --git a/nss-3.94-HACL-p256.patch b/nss-3.94-HACL-p256.patch deleted file mode 100644 index a7286a1..0000000 --- a/nss-3.94-HACL-p256.patch +++ /dev/null @@ -1,4306 +0,0 @@ - -# HG changeset patch -# User Karthikeyan Bhargavan -# Date 1694025109 0 -# Node ID 88262a8e60126b5168d0b96306ed5fd2de4867bb -# Parent ffb50bee6680491dddbdc9a3fa723c86332f15f9 -Bug 1615555 - P-256 ECDH and ECDSA from HACL*. r=jschanck - -Differential Revision: https://phabricator.services.mozilla.com/D185341 - -diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile ---- a/lib/freebl/Makefile -+++ b/lib/freebl/Makefile -@@ -602,17 +602,17 @@ ifndef NSS_DISABLE_CHACHAPOLY - EXTRA_SRCS += Hacl_Poly1305_128.c Hacl_Chacha20_Vec128.c Hacl_Chacha20Poly1305_128.c - DEFINES += -DHACL_CAN_COMPILE_VEC128 - endif - endif # x86_64 - - VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c - endif # NSS_DISABLE_CHACHAPOLY - --VERIFIED_SRCS += Hacl_Hash_SHA3.c -+VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c - - ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH))) - # All 64-bit architectures get the 64 bit version. - ECL_SRCS += curve25519_64.c - VERIFIED_SRCS += Hacl_Curve25519_51.c - else - # All other architectures get the generic 32 bit implementation - ECL_SRCS += curve25519_32.c -diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h ---- a/lib/freebl/blapi.h -+++ b/lib/freebl/blapi.h -@@ -1886,11 +1886,16 @@ extern SECStatus EC_DecodeParams(const S - extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, - const ECParams *srcParams); - - /* - * use the internal table to get the size in bytes of a single EC point - */ - extern int EC_GetPointSize(const ECParams *params); - -+/* -+ * use the internal table to get the size in bytes of a single EC coordinate -+ */ -+extern int EC_GetScalarSize(const ECParams *params); -+ - SEC_END_PROTOS - - #endif /* _BLAPI_H_ */ -diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c ---- a/lib/freebl/ec.c -+++ b/lib/freebl/ec.c -@@ -16,17 +16,25 @@ - #include "ec.h" - #include "ecl.h" - - #define EC_DOUBLECHECK PR_FALSE - - static const ECMethod kMethods[] = { - { ECCurve25519, - ec_Curve25519_pt_mul, -- ec_Curve25519_pt_validate } -+ ec_Curve25519_pt_validate, -+ NULL, NULL }, -+ { -+ ECCurve_NIST_P256, -+ ec_secp256r1_pt_mul, -+ ec_secp256r1_pt_validate, -+ ec_secp256r1_sign_digest, -+ ec_secp256r1_verify_digest, -+ } - }; - - static const ECMethod * - ec_get_method_from_name(ECCurveName name) - { - unsigned long i; - for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); ++i) { - if (kMethods[i].name == name) { -@@ -282,17 +290,21 @@ ec_NewKey(ECParams *ecParams, ECPrivateK - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->mul == NULL) { - /* unknown curve */ - rv = SECFailure; - goto cleanup; - } - rv = method->mul(&key->publicValue, &key->privateValue, NULL); -- goto done; -+ if (rv != SECSuccess) { -+ goto cleanup; -+ } else { -+ goto done; -+ } - } - - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_read_unsigned_octets(&k, key->privateValue.data, - (mp_size)len)); - - rv = ec_points_mul(ecParams, &k, NULL, NULL, &(key->publicValue)); - if (rv != SECSuccess) { -@@ -367,16 +379,17 @@ ec_GenerateRandomPrivateKey(const unsign - CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len)); - CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len)); - CHECK_MPI_OK(mp_set_int(&one, 1)); - CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1)); - CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal)); - CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal)); - CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len)); - memset(privKeyBytes + len, 0, len); -+ - cleanup: - mp_clear(&privKeyVal); - mp_clear(&order_1); - mp_clear(&one); - if (err < MP_OKAY) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } -@@ -435,28 +448,34 @@ EC_ValidatePublicKey(ECParams *ecParams, - ECGroup *group = NULL; - SECStatus rv = SECFailure; - mp_err err = MP_OKAY; - unsigned int len; - - if (!ecParams || ecParams->name == ECCurve_noName || - !publicValue || !publicValue->len) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Uses curve specific code for point validation. */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->validate == NULL) { - /* unknown curve */ - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } -- return method->validate(publicValue); -+ rv = method->validate(publicValue); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ } -+ return rv; - } - - /* NOTE: We only support uncompressed points for now */ - len = (((unsigned int)ecParams->fieldID.size) + 7) >> 3; - if (publicValue->data[0] != EC_POINT_FORM_UNCOMPRESSED) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); - return SECFailure; - } else if (publicValue->len != (2 * len + 1)) { -@@ -505,16 +524,17 @@ EC_ValidatePublicKey(ECParams *ecParams, - } - - rv = SECSuccess; - - cleanup: - ECGroup_free(group); - mp_clear(&Px); - mp_clear(&Py); -+ - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - return rv; - } - - /* -@@ -531,61 +551,66 @@ SECStatus - ECDH_Derive(SECItem *publicValue, - ECParams *ecParams, - SECItem *privateValue, - PRBool withCofactor, - SECItem *derivedSecret) - { - SECStatus rv = SECFailure; - unsigned int len = 0; -- SECItem pointQ = { siBuffer, NULL, 0 }; -- mp_int k; /* to hold the private value */ - mp_err err = MP_OKAY; --#if EC_DEBUG -- int i; --#endif - - if (!publicValue || !publicValue->len || - !ecParams || ecParams->name == ECCurve_noName || - !privateValue || !privateValue->len || !derivedSecret) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* - * Make sure the point is on the requested curve to avoid - * certain small subgroup attacks. - */ - if (EC_ValidatePublicKey(ecParams, publicValue) != SECSuccess) { - PORT_SetError(SEC_ERROR_BAD_KEY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - - /* Perform curve specific multiplication using ECMethod */ - if (ecParams->fieldID.type == ec_field_plain) { - const ECMethod *method; - memset(derivedSecret, 0, sizeof(*derivedSecret)); -- derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetPointSize(ecParams)); -+ derivedSecret = SECITEM_AllocItem(NULL, derivedSecret, EC_GetScalarSize(ecParams)); - if (derivedSecret == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); -- return SECFailure; -+ rv = SECFailure; -+ return rv; - } - method = ec_get_method_from_name(ecParams->name); - if (method == NULL || method->validate == NULL || - method->mul == NULL) { - PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -- return SECFailure; -+ rv = SECFailure; -+ goto done; - } - rv = method->mul(derivedSecret, privateValue, publicValue); - if (rv != SECSuccess) { -- SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ PORT_SetError(SEC_ERROR_BAD_KEY); - } -- return rv; -+ goto done; - } - -+ SECItem pointQ = { siBuffer, NULL, 0 }; -+ mp_int k; /* to hold the private value */ -+#if EC_DEBUG -+ int i; -+#endif -+ - /* - * We fail if the public value is the point at infinity, since - * this produces predictable results. - */ - if (ec_point_at_infinity(publicValue)) { - PORT_SetError(SEC_ERROR_BAD_KEY); - return SECFailure; - } -@@ -633,84 +658,108 @@ ECDH_Derive(SECItem *publicValue, - for (i = 0; i < derivedSecret->len; i++) - printf("%02x:", derivedSecret->data[i]); - printf("\n"); - #endif - - cleanup: - mp_clear(&k); - -- if (err) { -- MP_TO_SEC_ERROR(err); -- } -- - if (pointQ.data) { - PORT_ZFree(pointQ.data, pointQ.len); - } - -+done: -+ -+ if (err) { -+ MP_TO_SEC_ERROR(err); -+ } -+ if (rv != SECSuccess) { -+ SECITEM_ZfreeItem(derivedSecret, PR_FALSE); -+ } - return rv; - } - - /* Computes the ECDSA signature (a concatenation of two values r and s) - * on the digest using the given key and the random value kb (used in - * computing s). - */ - - static SECStatus - ec_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, - const SECItem *digest, const unsigned char *kb, const int kblen) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ int flen = 0; /* length in bytes of the field size */ -+ unsigned olen; /* length in bytes of the base point order */ -+ -+ /* Check args */ -+ if (!key || !signature || !digest || !kb || (kblen <= 0)) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->data == NULL) { -+ /* a call to get the signature length only */ -+ signature->len = 2 * olen; -+ rv = SECSuccess; -+ goto done; -+ } -+ if (signature->len < 2 * olen) { -+ PORT_SetError(SEC_ERROR_OUTPUT_LEN); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ /* Perform curve specific signature using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->sign_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->sign_digest(key, signature, digest, kb, kblen); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ } -+ goto done; -+ } -+ - mp_int x1; - mp_int d, k; /* private key, random integer */ - mp_int r, s; /* tuple (r, s) is the signature */ - mp_int t; /* holding tmp values */ - mp_int n; - mp_int ar; /* blinding value */ -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem kGpoint = { siBuffer, NULL, 0 }; -- int flen = 0; /* length in bytes of the field size */ -- unsigned olen; /* length in bytes of the base point order */ -+ unsigned char *t2 = NULL; - unsigned obits; /* length in bits of the base point order */ -- unsigned char *t2 = NULL; - - #if EC_DEBUG - char mpstr[256]; - #endif - - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&x1) = 0; - MP_DIGITS(&d) = 0; - MP_DIGITS(&k) = 0; - MP_DIGITS(&r) = 0; - MP_DIGITS(&s) = 0; - MP_DIGITS(&n) = 0; - MP_DIGITS(&t) = 0; - MP_DIGITS(&ar) = 0; - -- /* Check args */ -- if (!key || !signature || !digest || !kb || (kblen < 0)) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->data == NULL) { -- /* a call to get the signature length only */ -- goto finish; -- } -- if (signature->len < 2 * olen) { -- PORT_SetError(SEC_ERROR_OUTPUT_LEN); -- goto cleanup; -- } -- - CHECK_MPI_OK(mp_init(&x1)); - CHECK_MPI_OK(mp_init(&d)); - CHECK_MPI_OK(mp_init(&k)); - CHECK_MPI_OK(mp_init(&r)); - CHECK_MPI_OK(mp_init(&s)); - CHECK_MPI_OK(mp_init(&n)); - CHECK_MPI_OK(mp_init(&t)); - CHECK_MPI_OK(mp_init(&ar)); -@@ -846,21 +895,21 @@ ec_SignDigestWithSeed(ECPrivateKey *key, - } - - /* - ** - ** Signature is tuple (r, s) - */ - CHECK_MPI_OK(mp_to_fixlen_octets(&r, signature->data, olen)); - CHECK_MPI_OK(mp_to_fixlen_octets(&s, signature->data + olen, olen)); --finish: -+ - signature->len = 2 * olen; -- - rv = SECSuccess; - err = MP_OKAY; -+ - cleanup: - mp_clear(&x1); - mp_clear(&d); - mp_clear(&k); - mp_clear(&r); - mp_clear(&s); - mp_clear(&n); - mp_clear(&t); -@@ -869,16 +918,17 @@ cleanup: - if (t2) { - PORT_ZFree(t2, 2 * ecParams->order.len); - } - - if (kGpoint.data) { - PORT_ZFree(kGpoint.data, kGpoint.len); - } - -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA signing with seed %s\n", - (rv == SECSuccess) ? "succeeded" : "failed"); -@@ -887,22 +937,22 @@ cleanup: - return rv; - } - - SECStatus - ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, - const SECItem *digest, const unsigned char *kb, const int kblen) - { - #if EC_DEBUG || EC_DOUBLECHECK -- - SECItem *signature2 = SECITEM_AllocItem(NULL, NULL, signature->len); - SECStatus signSuccess = ec_SignDigestWithSeed(key, signature, digest, kb, kblen); - SECStatus signSuccessDouble = ec_SignDigestWithSeed(key, signature2, digest, kb, kblen); -- int signaturesEqual = NSS_SecureMemcmp(signature, signature2, signature->len); -+ int signaturesEqual = NSS_SecureMemcmp(signature->data, signature2->data, signature->len); - SECStatus rv; -+ - if ((signaturesEqual == 0) && (signSuccess == SECSuccess) && (signSuccessDouble == SECSuccess)) { - rv = SECSuccess; - } else { - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA signing with seed %s after signing twice\n", (rv == SECSuccess) ? "succeeded" : "failed"); -@@ -961,60 +1011,78 @@ cleanup: - ** of this function is undefined. In cases where a public key might - ** not be valid, use EC_ValidatePublicKey to check. - */ - SECStatus - ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, - const SECItem *digest) - { - SECStatus rv = SECFailure; -+ ECParams *ecParams = NULL; -+ mp_err err = MP_OKAY; -+ -+ /* Check args */ -+ if (!key || !signature || !digest) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ goto done; -+ } -+ -+ ecParams = &(key->ecParams); -+ -+ /* Perform curve specific signature verification using ECMethod */ -+ if (ecParams->fieldID.type == ec_field_plain) { -+ const ECMethod *method = ec_get_method_from_name(ecParams->name); -+ if (method == NULL || method->verify_digest == NULL) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE); -+ rv = SECFailure; -+ goto done; -+ } -+ rv = method->verify_digest(key, signature, digest); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ } -+ goto done; -+ } -+ - mp_int r_, s_; /* tuple (r', s') is received signature) */ - mp_int c, u1, u2, v; /* intermediate values used in verification */ - mp_int x1; - mp_int n; -- mp_err err = MP_OKAY; -- ECParams *ecParams = NULL; - SECItem pointC = { siBuffer, NULL, 0 }; - int slen; /* length in bytes of a half signature (r or s) */ - int flen; /* length in bytes of the field size */ - unsigned olen; /* length in bytes of the base point order */ - unsigned obits; /* length in bits of the base point order */ - - #if EC_DEBUG - char mpstr[256]; - printf("ECDSA verification called\n"); - #endif - -+ flen = (ecParams->fieldID.size + 7) >> 3; -+ olen = ecParams->order.len; -+ if (signature->len == 0 || signature->len % 2 != 0 || -+ signature->len > 2 * olen) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ goto cleanup; -+ } -+ slen = signature->len / 2; -+ - /* Initialize MPI integers. */ - /* must happen before the first potential call to cleanup */ - MP_DIGITS(&r_) = 0; - MP_DIGITS(&s_) = 0; - MP_DIGITS(&c) = 0; - MP_DIGITS(&u1) = 0; - MP_DIGITS(&u2) = 0; - MP_DIGITS(&x1) = 0; - MP_DIGITS(&v) = 0; - MP_DIGITS(&n) = 0; - -- /* Check args */ -- if (!key || !signature || !digest) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- goto cleanup; -- } -- -- ecParams = &(key->ecParams); -- flen = (ecParams->fieldID.size + 7) >> 3; -- olen = ecParams->order.len; -- if (signature->len == 0 || signature->len % 2 != 0 || -- signature->len > 2 * olen) { -- PORT_SetError(SEC_ERROR_INPUT_LEN); -- goto cleanup; -- } -- slen = signature->len / 2; -- - /* - * The incoming point has been verified in sftk_handlePublicKeyObject. - */ - - SECITEM_AllocItem(NULL, &pointC, EC_GetPointSize(ecParams)); - if (pointC.data == NULL) { - goto cleanup; - } -@@ -1151,16 +1219,18 @@ cleanup: - mp_clear(&u1); - mp_clear(&u2); - mp_clear(&x1); - mp_clear(&v); - mp_clear(&n); - - if (pointC.data) - SECITEM_ZfreeItem(&pointC, PR_FALSE); -+ -+done: - if (err) { - MP_TO_SEC_ERROR(err); - rv = SECFailure; - } - - #if EC_DEBUG - printf("ECDSA verification %s\n", - (rv == SECSuccess) ? "succeeded" : "failed"); -diff --git a/lib/freebl/ec.h b/lib/freebl/ec.h ---- a/lib/freebl/ec.h -+++ b/lib/freebl/ec.h -@@ -10,12 +10,14 @@ - #define ANSI_X962_CURVE_OID_TOTAL_LEN 10 - #define SECG_CURVE_OID_TOTAL_LEN 7 - #define PKIX_NEWCURVES_OID_TOTAL_LEN 11 - - struct ECMethodStr { - ECCurveName name; - SECStatus (*mul)(SECItem *result, SECItem *scalar, SECItem *point); - SECStatus (*validate)(const SECItem *point); -+ SECStatus (*sign_digest)(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen); -+ SECStatus (*verify_digest)(ECPublicKey *key, const SECItem *signature, const SECItem *digest); - }; - typedef struct ECMethodStr ECMethod; - - #endif /* __ec_h_ */ -diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c ---- a/lib/freebl/ecdecode.c -+++ b/lib/freebl/ecdecode.c -@@ -150,17 +150,17 @@ EC_FillParams(PLArenaPool *arena, const - #endif - - switch (tag) { - case SEC_OID_ANSIX962_EC_PRIME256V1: - /* Populate params for prime256v1 aka secp256r1 - * (the NIST P-256 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_X9_62_PRIME_256V1, -- ec_field_GFp, params)); -+ ec_field_plain, params)); - break; - - case SEC_OID_SECG_EC_SECP384R1: - /* Populate params for secp384r1 - * (the NIST P-384 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_384R1, - ec_field_GFp, params)); -@@ -171,17 +171,18 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-521 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, - ec_field_GFp, params)); - break; - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, -+ CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, -+ ec_field_plain, - params)); - break; - - default: - break; - }; - - cleanup: -@@ -245,8 +246,23 @@ EC_GetPointSize(const ECParams *params) - return sizeInBytes * 2 + 1; - } - if (name == ECCurve25519) { - /* Only X here */ - return curveParams->scalarSize; - } - return curveParams->pointSize - 1; - } -+ -+int -+EC_GetScalarSize(const ECParams *params) -+{ -+ ECCurveName name = params->name; -+ const ECCurveBytes *curveParams; -+ -+ if ((name < ECCurve_noName) || (name > ECCurve_pastLastCurve) || -+ ((curveParams = ecCurve_map[name]) == NULL)) { -+ /* unknown curve, calculate scalar size from field size in params */ -+ int sizeInBytes = (params->fieldID.size + 7) / 8; -+ return sizeInBytes; -+ } -+ return curveParams->scalarSize; -+} -diff --git a/lib/freebl/ecl/ecl.h b/lib/freebl/ecl/ecl.h ---- a/lib/freebl/ecl/ecl.h -+++ b/lib/freebl/ecl/ecl.h -@@ -41,9 +41,18 @@ mp_err ECPoints_mul(const ECGroup *group - * Returns MP_YES if the public key is valid, MP_NO if the public key - * is invalid, or an error code if the validation could not be - * performed. */ - mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py); - - SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P); - SECStatus ec_Curve25519_pt_validate(const SECItem *px); - -+SECStatus ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P); -+SECStatus ec_secp256r1_pt_validate(const SECItem *px); -+ -+SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen); -+SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest); -+ - #endif /* __ecl_h_ */ -diff --git a/lib/freebl/ecl/ecp_secp256r1.c b/lib/freebl/ecl/ecp_secp256r1.c -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/ecl/ecp_secp256r1.c -@@ -0,0 +1,229 @@ -+/* P-256 from HACL* */ -+ -+#ifdef FREEBL_NO_DEPEND -+#include "../stubs.h" -+#endif -+ -+#include "ecl-priv.h" -+#include "secitem.h" -+#include "secerr.h" -+#include "secmpi.h" -+#include "../verified/Hacl_P256.h" -+ -+/* -+ * Point Validation for P-256. -+ */ -+ -+SECStatus -+ec_secp256r1_pt_validate(const SECItem *pt) -+{ -+ SECStatus res = SECSuccess; -+ if (!pt || !pt->data) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->len != 65) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (pt->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_validate_public_key(pt->data + 1); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ } -+ return res; -+} -+ -+/* -+ * Scalar multiplication for P-256. -+ * If P == NULL, the base point is used. -+ * Returns X = k*P -+ */ -+ -+SECStatus -+ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P) -+{ -+ SECStatus res = SECSuccess; -+ if (!P) { -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !X->data || !k->data || -+ X->len < 65 || k->len != 32) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_initiator(derived, k->data); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 65; -+ X->data[0] = EC_POINT_FORM_UNCOMPRESSED; -+ memcpy(X->data + 1, derived, 64); -+ -+ } else { -+ uint8_t full_key[32] = { 0 }; -+ uint8_t *key; -+ uint8_t derived[64] = { 0 }; -+ -+ if (!X || !k || !P || !X->data || !k->data || !P->data || -+ X->len < 32 || P->len != 65 || -+ P->data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ /* We consider keys of up to size 32, or of size 33 with a single leading 0 */ -+ if (k->len < 32) { -+ memcpy(full_key + 32 - k->len, k->data, k->len); -+ key = full_key; -+ } else if (k->len == 32) { -+ key = k->data; -+ } else if (k->len == 33 && k->data[0] == 0) { -+ key = k->data + 1; -+ } else { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ bool b = Hacl_P256_dh_responder(derived, P->data + 1, key); -+ -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ X->len = 32; -+ memcpy(X->data, derived, 32); -+ } -+ -+ return res; -+} -+ -+/* -+ * ECDSA Signature for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature, -+ const SECItem *digest, const unsigned char *kb, -+ const unsigned int kblen) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || !kb || -+ !key->privateValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->privateValue.len != 32 || -+ kblen == 0 || -+ digest->len == 0 || -+ signature->len < 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ uint8_t nonce[32] = { 0 }; -+ if (kblen < 32) { -+ memcpy(nonce + 32 - kblen, kb, kblen); -+ } else { -+ memcpy(nonce, kb, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_sign_p256_without_hash( -+ signature->data, 32, hash, -+ key->privateValue.data, nonce); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_KEY); -+ res = SECFailure; -+ return res; -+ } -+ -+ signature->len = 64; -+ return res; -+} -+ -+/* -+ * ECDSA Signature Verification for P-256 -+ */ -+ -+SECStatus -+ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature, -+ const SECItem *digest) -+{ -+ SECStatus res = SECSuccess; -+ -+ if (!key || !signature || !digest || -+ !key->publicValue.data || -+ !signature->data || !digest->data || -+ key->ecParams.name != ECCurve_NIST_P256) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.len != 65 || -+ digest->len == 0 || -+ signature->len != 64) { -+ PORT_SetError(SEC_ERROR_INPUT_LEN); -+ res = SECFailure; -+ return res; -+ } -+ -+ if (key->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_EC_POINT_FORM); -+ res = SECFailure; -+ return res; -+ } -+ -+ uint8_t hash[32] = { 0 }; -+ if (digest->len < 32) { -+ memcpy(hash + 32 - digest->len, digest->data, digest->len); -+ } else { -+ memcpy(hash, digest->data, 32); -+ } -+ -+ bool b = Hacl_P256_ecdsa_verif_without_hash( -+ 32, hash, -+ key->publicValue.data + 1, -+ signature->data, signature->data + 32); -+ if (!b) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ res = SECFailure; -+ return res; -+ } -+ -+ return res; -+} -diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp ---- a/lib/freebl/freebl.gyp -+++ b/lib/freebl/freebl.gyp -@@ -838,24 +838,26 @@ - 'MP_IS_LITTLE_ENDIAN', - ], - }], - # Poly1305_256 requires the flag to run - ['target_arch=="x64"', { - 'defines':[ - 'HACL_CAN_COMPILE_VEC128', - 'HACL_CAN_COMPILE_VEC256', -+ 'HACL_CAN_COMPILE_INTRINSICS', - ], - }], - # MSVC has no __int128 type. Use emulated int128 and leave - # have_int128_support as-is for Curve25519 impl. selection. - [ 'have_int128_support==1 and (OS!="win" or cc_is_clang==1 or cc_is_gcc==1)', { - 'defines': [ - # The Makefile does version-tests on GCC, but we're not doing that here. - 'HAVE_INT128_SUPPORT', -+ 'HACL_CAN_COMPILE_UINT128' - ], - }, { - 'defines': [ - 'KRML_VERIFIED_UINT128', - ], - }], - [ 'OS=="linux"', { - 'defines': [ -diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi ---- a/lib/freebl/freebl_base.gypi -+++ b/lib/freebl/freebl_base.gypi -@@ -29,18 +29,20 @@ - 'ecl/ecp_256.c', - 'ecl/ecp_256_32.c', - 'ecl/ecp_384.c', - 'ecl/ecp_521.c', - 'ecl/ecp_aff.c', - 'ecl/ecp_jac.c', - 'ecl/ecp_jm.c', - 'ecl/ecp_mont.c', -+ 'ecl/ecp_secp256r1.c', - 'ecl/ecp_secp384r1.c', - 'ecl/ecp_secp521r1.c', -+ 'verified/Hacl_P256.c', - 'fipsfreebl.c', - 'blinit.c', - 'freeblver.c', - 'gcm.c', - 'hmacct.c', - 'jpake.c', - 'ldvector.c', - 'md2.c', -diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn ---- a/lib/freebl/manifest.mn -+++ b/lib/freebl/manifest.mn -@@ -102,17 +102,17 @@ PRIVATE_EXPORTS = \ - MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h - MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c - - - ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h - ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \ - ecp_aff.c ecp_jac.c ecp_mont.c \ - ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \ -- ecp_256_32.c ecp_25519.c ecp_secp384r1.c ecp_secp521r1.c -+ ecp_256_32.c ecp_25519.c ecp_secp256r1.c ecp_secp384r1.c ecp_secp521r1.c - SHA_SRCS = sha_fast.c - MPCPU_SRCS = mpcpucache.c - VERIFIED_SRCS = $(NULL) - - CSRCS = \ - freeblver.c \ - ldvector.c \ - sysrand.c \ -diff --git a/lib/freebl/verified/Hacl_P256.c b/lib/freebl/verified/Hacl_P256.c -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/Hacl_P256.c -@@ -0,0 +1,1832 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#include "internal/Hacl_P256.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "lib_intrinsics.h" -+ -+static inline uint64_t -+bn_is_zero_mask4(uint64_t *f) -+{ -+ uint64_t bn_zero[4U] = { 0U }; -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(f[i], bn_zero[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ uint64_t res = mask1; -+ return res; -+} -+ -+static inline bool -+bn_is_zero_vartime4(uint64_t *f) -+{ -+ uint64_t m = bn_is_zero_mask4(f); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline uint64_t -+bn_is_eq_mask4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t uu____0 = FStar_UInt64_eq_mask(a[i], b[i]); -+ mask = uu____0 & mask;); -+ uint64_t mask1 = mask; -+ return mask1; -+} -+ -+static inline bool -+bn_is_eq_vartime4(uint64_t *a, uint64_t *b) -+{ -+ uint64_t m = bn_is_eq_mask4(a, b); -+ return m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+static inline void -+bn_cmovznz4(uint64_t *res, uint64_t cin, uint64_t *x, uint64_t *y) -+{ -+ uint64_t mask = ~FStar_UInt64_eq_mask(cin, (uint64_t)0U); -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t uu____0 = x[i]; -+ uint64_t x1 = uu____0 ^ (mask & (y[i] ^ uu____0)); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_add_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline uint64_t -+bn_sub4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c0 = c; -+ return c0; -+} -+ -+static inline void -+bn_sub_mod4(uint64_t *res, uint64_t *n, uint64_t *x, uint64_t *y) -+{ -+ uint64_t c0 = (uint64_t)0U; -+ { -+ uint64_t t1 = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = y[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res + (uint32_t)4U * (uint32_t)0U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t1, t20, res_i0); -+ uint64_t t10 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t10, t21, res_i1); -+ uint64_t t11 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t11, t22, res_i2); -+ uint64_t t12 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = y[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c0 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c0, t12, t2, res_i); -+ } -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ // TODO: remove unused variable -+ (void)c1; -+ uint64_t c2 = (uint64_t)0U - c00; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & tmp[i]) | (~c2 & res[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+bn_mul4(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t bj = y[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = x[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, bj, c, res_i0); -+ uint64_t a_i0 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, bj, c, res_i1); -+ uint64_t a_i1 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, bj, c, res_i2); -+ uint64_t a_i2 = x[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, bj, c, res_i); -+ } uint64_t r = c; -+ res[(uint32_t)4U + i0] = r;); -+} -+ -+static inline void -+bn_sqr4(uint64_t *res, uint64_t *x) -+{ -+ memset(res, 0U, (uint32_t)8U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *ab = x; -+ uint64_t a_j = x[i0]; -+ uint64_t *res_j = res + i0; -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < i0 / (uint32_t)4U; i++) { -+ uint64_t a_i = ab[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res_j + (uint32_t)4U * i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i0); -+ uint64_t a_i0 = ab[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j + (uint32_t)4U * i + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, a_j, c, res_i1); -+ uint64_t a_i1 = ab[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j + (uint32_t)4U * i + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, a_j, c, res_i2); -+ uint64_t a_i2 = ab[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res_j + (uint32_t)4U * i + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, a_j, c, res_i); -+ } -+ for (uint32_t i = i0 / (uint32_t)4U * (uint32_t)4U; i < i0; i++) { -+ uint64_t a_i = ab[i]; -+ uint64_t *res_i = res_j + i; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, a_j, c, res_i); -+ } -+ uint64_t r = c; -+ res[i0 + i0] = r;); -+ uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, res, res); -+ // TODO: remove unused variable -+ (void)c0; -+ uint64_t tmp[8U] = { 0U }; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(x[i], x[i]); -+ uint64_t hi = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res1, (uint32_t)64U)); -+ uint64_t lo = FStar_UInt128_uint128_to_uint64(res1); -+ tmp[(uint32_t)2U * i] = lo; -+ tmp[(uint32_t)2U * i + (uint32_t)1U] = hi;); -+ uint64_t c1 = Hacl_Bignum_Addition_bn_add_eq_len_u64((uint32_t)8U, res, tmp, res); -+ // TODO: remove unused variable -+ (void)c1; -+} -+ -+static inline void -+bn_to_bytes_be4(uint8_t *res, uint64_t *f) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ store64_be(res + i * (uint32_t)8U, f[(uint32_t)4U - i - (uint32_t)1U]);); -+} -+ -+static inline void -+bn_from_bytes_be4(uint64_t *res, uint8_t *b) -+{ -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t u = load64_be(b + ((uint32_t)4U - i - (uint32_t)1U) * (uint32_t)8U); -+ uint64_t x = u; -+ os[i] = x;); -+} -+ -+static inline void -+bn2_to_bytes_be4(uint8_t *res, uint64_t *x, uint64_t *y) -+{ -+ bn_to_bytes_be4(res, x); -+ bn_to_bytes_be4(res + (uint32_t)32U, y); -+} -+ -+static inline void -+make_prime(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xffffffffffffffffU; -+ n[1U] = (uint64_t)0xffffffffU; -+ n[2U] = (uint64_t)0x0U; -+ n[3U] = (uint64_t)0xffffffff00000001U; -+} -+ -+static inline void -+make_order(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xf3b9cac2fc632551U; -+ n[1U] = (uint64_t)0xbce6faada7179e84U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xffffffff00000000U; -+} -+ -+static inline void -+make_a_coeff(uint64_t *a) -+{ -+ a[0U] = (uint64_t)0xfffffffffffffffcU; -+ a[1U] = (uint64_t)0x3ffffffffU; -+ a[2U] = (uint64_t)0x0U; -+ a[3U] = (uint64_t)0xfffffffc00000004U; -+} -+ -+static inline void -+make_b_coeff(uint64_t *b) -+{ -+ b[0U] = (uint64_t)0xd89cdf6229c4bddfU; -+ b[1U] = (uint64_t)0xacf005cd78843090U; -+ b[2U] = (uint64_t)0xe5a220abf7212ed6U; -+ b[3U] = (uint64_t)0xdc30061d04874834U; -+} -+ -+static inline void -+make_g_x(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x79e730d418a9143cU; -+ n[1U] = (uint64_t)0x75ba95fc5fedb601U; -+ n[2U] = (uint64_t)0x79fb732b77622510U; -+ n[3U] = (uint64_t)0x18905f76a53755c6U; -+} -+ -+static inline void -+make_g_y(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0xddf25357ce95560aU; -+ n[1U] = (uint64_t)0x8b4ab8e4ba19e45cU; -+ n[2U] = (uint64_t)0xd2e88688dd21f325U; -+ n[3U] = (uint64_t)0x8571ff1825885d85U; -+} -+ -+static inline void -+make_fmont_R2(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x3U; -+ n[1U] = (uint64_t)0xfffffffbffffffffU; -+ n[2U] = (uint64_t)0xfffffffffffffffeU; -+ n[3U] = (uint64_t)0x4fffffffdU; -+} -+ -+static inline void -+make_fzero(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0U; -+ n[1U] = (uint64_t)0U; -+ n[2U] = (uint64_t)0U; -+ n[3U] = (uint64_t)0U; -+} -+ -+static inline void -+make_fone(uint64_t *n) -+{ -+ n[0U] = (uint64_t)0x1U; -+ n[1U] = (uint64_t)0xffffffff00000000U; -+ n[2U] = (uint64_t)0xffffffffffffffffU; -+ n[3U] = (uint64_t)0xfffffffeU; -+} -+ -+static inline uint64_t -+bn_is_lt_prime_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_prime(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+feq_mask(uint64_t *a, uint64_t *b) -+{ -+ uint64_t r = bn_is_eq_mask4(a, b); -+ return r; -+} -+ -+static inline void -+fadd0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+fsub0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ bn_sub_mod4(res, n, x, y); -+} -+ -+static inline void -+fnegate_conditional_vartime(uint64_t *f, bool is_negate) -+{ -+ uint64_t zero[4U] = { 0U }; -+ if (is_negate) { -+ fsub0(f, zero, f); -+ } -+} -+ -+static inline void -+mont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_prime(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)1U * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+fmul0(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+fsqr0(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+from_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, a, (uint32_t)4U * sizeof(uint64_t)); -+ mont_reduction(res, tmp); -+} -+ -+static inline void -+to_mont(uint64_t *res, uint64_t *a) -+{ -+ uint64_t r2modn[4U] = { 0U }; -+ make_fmont_R2(r2modn); -+ fmul0(res, a, r2modn); -+} -+ -+static inline void -+fmul_by_b_coeff(uint64_t *res, uint64_t *x) -+{ -+ uint64_t b_coeff[4U] = { 0U }; -+ make_b_coeff(b_coeff); -+ fmul0(res, b_coeff, x); -+} -+ -+static inline void -+fcube(uint64_t *res, uint64_t *x) -+{ -+ fsqr0(res, x); -+ fmul0(res, res, x); -+} -+ -+static inline void -+finv(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *x30 = tmp; -+ uint64_t *x2 = tmp + (uint32_t)4U; -+ uint64_t *tmp1 = tmp + (uint32_t)8U; -+ uint64_t *tmp2 = tmp + (uint32_t)12U; -+ memcpy(x2, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ memcpy(x30, x2, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(x30, x30); -+ } -+ fmul0(x30, x30, a); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x30); -+ memcpy(x30, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, (uint32_t)0U, (uint32_t)15U, (uint32_t)1U, fsqr0(x30, x30);); -+ fmul0(x30, x30, tmp1); -+ memcpy(tmp1, x30, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, x2); -+ memcpy(x2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)128U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, tmp1); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)30U; i++) { -+ fsqr0(x2, x2); -+ } -+ fmul0(x2, x2, x30); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(x2, x2);); -+ fmul0(tmp1, x2, a); -+ memcpy(res, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+fsqrt(uint64_t *res, uint64_t *a) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ uint64_t *tmp1 = tmp; -+ uint64_t *tmp2 = tmp + (uint32_t)4U; -+ memcpy(tmp1, a, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ fsqr0(tmp1, tmp1); -+ } -+ fmul0(tmp1, tmp1, a); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, fsqr0(tmp2, tmp2);); -+ fmul0(tmp2, tmp2, tmp1); -+ memcpy(tmp1, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, fsqr0(tmp1, tmp1);); -+ fmul0(tmp1, tmp1, tmp2); -+ memcpy(tmp2, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)96U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ fmul0(tmp2, tmp2, a); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)94U; i++) { -+ fsqr0(tmp2, tmp2); -+ } -+ memcpy(res, tmp2, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+make_base_point(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_g_x(x); -+ make_g_y(y); -+ make_fone(z); -+} -+ -+static inline void -+make_point_at_inf(uint64_t *p) -+{ -+ uint64_t *x = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z = p + (uint32_t)8U; -+ make_fzero(x); -+ make_fone(y); -+ make_fzero(z); -+} -+ -+static inline bool -+is_point_at_inf_vartime(uint64_t *p) -+{ -+ uint64_t *pz = p + (uint32_t)8U; -+ return bn_is_zero_vartime4(pz); -+} -+ -+static inline void -+to_aff_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *pz = p + (uint32_t)8U; -+ uint64_t *x = res; -+ uint64_t *y = res + (uint32_t)4U; -+ finv(zinv, pz); -+ fmul0(x, px, zinv); -+ fmul0(y, py, zinv); -+ from_mont(x, x); -+ from_mont(y, y); -+} -+ -+static inline void -+to_aff_point_x(uint64_t *res, uint64_t *p) -+{ -+ uint64_t zinv[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *pz = p + (uint32_t)8U; -+ finv(zinv, pz); -+ fmul0(res, px, zinv); -+ from_mont(res, res); -+} -+ -+static inline void -+to_proj_point(uint64_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t *rx = res; -+ uint64_t *ry = res + (uint32_t)4U; -+ uint64_t *rz = res + (uint32_t)8U; -+ to_mont(rx, px); -+ to_mont(ry, py); -+ make_fone(rz); -+} -+ -+static inline bool -+is_on_curve_vartime(uint64_t *p) -+{ -+ uint64_t rp[4U] = { 0U }; -+ uint64_t tx[4U] = { 0U }; -+ uint64_t ty[4U] = { 0U }; -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ to_mont(tx, px); -+ to_mont(ty, py); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(rp, tx); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, tx); -+ fadd0(rp, tmp, rp); -+ make_b_coeff(tmp); -+ fadd0(rp, tmp, rp); -+ fsqr0(ty, ty); -+ uint64_t r = feq_mask(ty, rp); -+ bool r0 = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return r0; -+} -+ -+static inline void -+aff_point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ bn2_to_bytes_be4(res, px, py); -+} -+ -+static inline void -+point_store(uint8_t *res, uint64_t *p) -+{ -+ uint64_t aff_p[8U] = { 0U }; -+ to_aff_point(aff_p, p); -+ aff_point_store(res, aff_p); -+} -+ -+static inline bool -+aff_point_load_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint8_t *p_x = b; -+ uint8_t *p_y = b + (uint32_t)32U; -+ uint64_t *bn_p_x = p; -+ uint64_t *bn_p_y = p + (uint32_t)4U; -+ bn_from_bytes_be4(bn_p_x, p_x); -+ bn_from_bytes_be4(bn_p_y, p_y); -+ uint64_t *px = p; -+ uint64_t *py = p + (uint32_t)4U; -+ uint64_t lessX = bn_is_lt_prime_mask4(px); -+ uint64_t lessY = bn_is_lt_prime_mask4(py); -+ uint64_t res = lessX & lessY; -+ bool is_xy_valid = res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!is_xy_valid) { -+ return false; -+ } -+ return is_on_curve_vartime(p); -+} -+ -+static inline bool -+load_point_vartime(uint64_t *p, uint8_t *b) -+{ -+ uint64_t p_aff[8U] = { 0U }; -+ bool res = aff_point_load_vartime(p_aff, b); -+ if (res) { -+ to_proj_point(p, p_aff); -+ } -+ return res; -+} -+ -+static inline bool -+aff_point_decompress_vartime(uint64_t *x, uint64_t *y, uint8_t *s) -+{ -+ uint8_t s0 = s[0U]; -+ uint8_t s01 = s0; -+ if (!(s01 == (uint8_t)0x02U || s01 == (uint8_t)0x03U)) { -+ return false; -+ } -+ uint8_t *xb = s + (uint32_t)1U; -+ bn_from_bytes_be4(x, xb); -+ uint64_t is_x_valid = bn_is_lt_prime_mask4(x); -+ bool is_x_valid1 = is_x_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_odd = s01 == (uint8_t)0x03U; -+ if (!is_x_valid1) { -+ return false; -+ } -+ uint64_t y2M[4U] = { 0U }; -+ uint64_t xM[4U] = { 0U }; -+ uint64_t yM[4U] = { 0U }; -+ to_mont(xM, x); -+ uint64_t tmp[4U] = { 0U }; -+ fcube(y2M, xM); -+ make_a_coeff(tmp); -+ fmul0(tmp, tmp, xM); -+ fadd0(y2M, tmp, y2M); -+ make_b_coeff(tmp); -+ fadd0(y2M, tmp, y2M); -+ fsqrt(yM, y2M); -+ from_mont(y, yM); -+ fsqr0(yM, yM); -+ uint64_t r = feq_mask(yM, y2M); -+ bool is_y_valid = r == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ bool is_y_valid0 = is_y_valid; -+ if (!is_y_valid0) { -+ return false; -+ } -+ uint64_t is_y_odd1 = y[0U] & (uint64_t)1U; -+ bool is_y_odd2 = is_y_odd1 == (uint64_t)1U; -+ fnegate_conditional_vartime(y, is_y_odd2 != is_y_odd); -+ return true; -+} -+ -+static inline void -+point_double(uint64_t *res, uint64_t *p) -+{ -+ uint64_t tmp[20U] = { 0U }; -+ uint64_t *x = p; -+ uint64_t *z = p + (uint32_t)8U; -+ uint64_t *x3 = res; -+ uint64_t *y3 = res + (uint32_t)4U; -+ uint64_t *z3 = res + (uint32_t)8U; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)4U; -+ uint64_t *t2 = tmp + (uint32_t)8U; -+ uint64_t *t3 = tmp + (uint32_t)12U; -+ uint64_t *t4 = tmp + (uint32_t)16U; -+ uint64_t *x1 = p; -+ uint64_t *y = p + (uint32_t)4U; -+ uint64_t *z1 = p + (uint32_t)8U; -+ fsqr0(t0, x1); -+ fsqr0(t1, y); -+ fsqr0(t2, z1); -+ fmul0(t3, x1, y); -+ fadd0(t3, t3, t3); -+ fmul0(t4, y, z1); -+ fmul0(z3, x, z); -+ fadd0(z3, z3, z3); -+ fmul_by_b_coeff(y3, t2); -+ fsub0(y3, y3, z3); -+ fadd0(x3, y3, y3); -+ fadd0(y3, x3, y3); -+ fsub0(x3, t1, y3); -+ fadd0(y3, t1, y3); -+ fmul0(y3, x3, y3); -+ fmul0(x3, x3, t3); -+ fadd0(t3, t2, t2); -+ fadd0(t2, t2, t3); -+ fmul_by_b_coeff(z3, z3); -+ fsub0(z3, z3, t2); -+ fsub0(z3, z3, t0); -+ fadd0(t3, z3, z3); -+ fadd0(z3, z3, t3); -+ fadd0(t3, t0, t0); -+ fadd0(t0, t3, t0); -+ fsub0(t0, t0, t2); -+ fmul0(t0, t0, z3); -+ fadd0(y3, y3, t0); -+ fadd0(t0, t4, t4); -+ fmul0(z3, t0, z3); -+ fsub0(x3, x3, z3); -+ fmul0(z3, t0, t1); -+ fadd0(z3, z3, z3); -+ fadd0(z3, z3, z3); -+} -+ -+static inline void -+point_add(uint64_t *res, uint64_t *p, uint64_t *q) -+{ -+ uint64_t tmp[36U] = { 0U }; -+ uint64_t *t0 = tmp; -+ uint64_t *t1 = tmp + (uint32_t)24U; -+ uint64_t *x3 = t1; -+ uint64_t *y3 = t1 + (uint32_t)4U; -+ uint64_t *z3 = t1 + (uint32_t)8U; -+ uint64_t *t01 = t0; -+ uint64_t *t11 = t0 + (uint32_t)4U; -+ uint64_t *t2 = t0 + (uint32_t)8U; -+ uint64_t *t3 = t0 + (uint32_t)12U; -+ uint64_t *t4 = t0 + (uint32_t)16U; -+ uint64_t *t5 = t0 + (uint32_t)20U; -+ uint64_t *x1 = p; -+ uint64_t *y1 = p + (uint32_t)4U; -+ uint64_t *z10 = p + (uint32_t)8U; -+ uint64_t *x20 = q; -+ uint64_t *y20 = q + (uint32_t)4U; -+ uint64_t *z20 = q + (uint32_t)8U; -+ fmul0(t01, x1, x20); -+ fmul0(t11, y1, y20); -+ fmul0(t2, z10, z20); -+ fadd0(t3, x1, y1); -+ fadd0(t4, x20, y20); -+ fmul0(t3, t3, t4); -+ fadd0(t4, t01, t11); -+ uint64_t *y10 = p + (uint32_t)4U; -+ uint64_t *z11 = p + (uint32_t)8U; -+ uint64_t *y2 = q + (uint32_t)4U; -+ uint64_t *z21 = q + (uint32_t)8U; -+ fsub0(t3, t3, t4); -+ fadd0(t4, y10, z11); -+ fadd0(t5, y2, z21); -+ fmul0(t4, t4, t5); -+ fadd0(t5, t11, t2); -+ fsub0(t4, t4, t5); -+ uint64_t *x10 = p; -+ uint64_t *z1 = p + (uint32_t)8U; -+ uint64_t *x2 = q; -+ uint64_t *z2 = q + (uint32_t)8U; -+ fadd0(x3, x10, z1); -+ fadd0(y3, x2, z2); -+ fmul0(x3, x3, y3); -+ fadd0(y3, t01, t2); -+ fsub0(y3, x3, y3); -+ fmul_by_b_coeff(z3, t2); -+ fsub0(x3, y3, z3); -+ fadd0(z3, x3, x3); -+ fadd0(x3, x3, z3); -+ fsub0(z3, t11, x3); -+ fadd0(x3, t11, x3); -+ fmul_by_b_coeff(y3, y3); -+ fadd0(t11, t2, t2); -+ fadd0(t2, t11, t2); -+ fsub0(y3, y3, t2); -+ fsub0(y3, y3, t01); -+ fadd0(t11, y3, y3); -+ fadd0(y3, t11, y3); -+ fadd0(t11, t01, t01); -+ fadd0(t01, t11, t01); -+ fsub0(t01, t01, t2); -+ fmul0(t11, t4, y3); -+ fmul0(t2, t01, y3); -+ fmul0(y3, x3, z3); -+ fadd0(y3, y3, t2); -+ fmul0(x3, t3, x3); -+ fsub0(x3, x3, t11); -+ fmul0(z3, t4, z3); -+ fmul0(t11, t3, t01); -+ fadd0(z3, z3, t11); -+ memcpy(res, t1, (uint32_t)12U * sizeof(uint64_t)); -+} -+ -+static inline void -+point_mul(uint64_t *res, uint64_t *scalar, uint64_t *p) -+{ -+ uint64_t table[192U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table; -+ uint64_t *t1 = table + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, p, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR7(i, -+ (uint32_t)0U, -+ (uint32_t)7U, -+ (uint32_t)1U, -+ uint64_t *t11 = table + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, p, t2); -+ memcpy(table + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ make_point_at_inf(res); -+ uint64_t tmp0[12U] = { 0U }; -+ for (uint32_t i0 = (uint32_t)0U; i0 < (uint32_t)64U; i0++) { -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)256U - (uint32_t)4U * i0 - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar, k, (uint32_t)4U); -+ memcpy(tmp0, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i1, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i1 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i1 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp0; -+ uint64_t x = (c & res_j[i]) | (~c & tmp0[i]); -+ os[i] = x;);); -+ point_add(res, res, tmp0); -+ } -+} -+ -+static inline void -+precomp_get_consttime(const uint64_t *table, uint64_t bits_l, uint64_t *tmp) -+{ -+ memcpy(tmp, (uint64_t *)table, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i0, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t c = FStar_UInt64_eq_mask(bits_l, (uint64_t)(i0 + (uint32_t)1U)); -+ const uint64_t *res_j = table + (i0 + (uint32_t)1U) * (uint32_t)12U; -+ KRML_MAYBE_FOR12(i, -+ (uint32_t)0U, -+ (uint32_t)12U, -+ (uint32_t)1U, -+ uint64_t *os = tmp; -+ uint64_t x = (c & res_j[i]) | (~c & tmp[i]); -+ os[i] = x;);); -+} -+ -+static inline void -+point_mul_g(uint64_t *res, uint64_t *scalar) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ /* -+ uint64_t -+ q2[12U] = -+ { -+ (uint64_t)1499621593102562565U, (uint64_t)16692369783039433128U, -+ (uint64_t)15337520135922861848U, (uint64_t)5455737214495366228U, -+ (uint64_t)17827017231032529600U, (uint64_t)12413621606240782649U, -+ (uint64_t)2290483008028286132U, (uint64_t)15752017553340844820U, -+ (uint64_t)4846430910634234874U, (uint64_t)10861682798464583253U, -+ (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U -+ }; -+ uint64_t -+ q3[12U] = -+ { -+ (uint64_t)14619254753077084366U, (uint64_t)13913835116514008593U, -+ (uint64_t)15060744674088488145U, (uint64_t)17668414598203068685U, -+ (uint64_t)10761169236902342334U, (uint64_t)15467027479157446221U, -+ (uint64_t)14989185522423469618U, (uint64_t)14354539272510107003U, -+ (uint64_t)14298211796392133693U, (uint64_t)13270323784253711450U, -+ (uint64_t)13380964971965046957U, (uint64_t)8686204248456909699U -+ }; -+ uint64_t -+ q4[12U] = -+ { -+ (uint64_t)7870395003430845958U, (uint64_t)18001862936410067720U, -+ (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, -+ (uint64_t)7139806720777708306U, (uint64_t)8253938546650739833U, -+ (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U -+ }; -+ */ -+ uint64_t *r1 = scalar; -+ uint64_t *r2 = scalar + (uint32_t)1U; -+ uint64_t *r3 = scalar + (uint32_t)2U; -+ uint64_t *r4 = scalar + (uint32_t)3U; -+ make_point_at_inf(res); -+ uint64_t tmp[12U] = { 0U }; -+ KRML_MAYBE_FOR16(i, -+ (uint32_t)0U, -+ (uint32_t)16U, -+ (uint32_t)1U, -+ KRML_MAYBE_FOR4(i0, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r4, k, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4, bits_l, tmp); -+ point_add(res, res, tmp); -+ uint32_t k0 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r3, k0, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4, bits_l0, tmp); -+ point_add(res, res, tmp); -+ uint32_t k1 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l1 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r2, k1, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4, bits_l1, tmp); -+ point_add(res, res, tmp); -+ uint32_t k2 = (uint32_t)64U - (uint32_t)4U * i - (uint32_t)4U; -+ uint64_t bits_l2 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)1U, r1, k2, (uint32_t)4U); -+ precomp_get_consttime(Hacl_P256_PrecompTable_precomp_basepoint_table_w4, bits_l2, tmp); -+ point_add(res, res, tmp);); -+} -+ -+static inline void -+point_mul_double_g(uint64_t *res, uint64_t *scalar1, uint64_t *scalar2, uint64_t *q2) -+{ -+ uint64_t q1[12U] = { 0U }; -+ make_base_point(q1); -+ uint64_t table2[384U] = { 0U }; -+ uint64_t tmp[12U] = { 0U }; -+ uint64_t *t0 = table2; -+ uint64_t *t1 = table2 + (uint32_t)12U; -+ make_point_at_inf(t0); -+ memcpy(t1, q2, (uint32_t)12U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR15(i, -+ (uint32_t)0U, -+ (uint32_t)15U, -+ (uint32_t)1U, -+ uint64_t *t11 = table2 + (i + (uint32_t)1U) * (uint32_t)12U; -+ point_double(tmp, t11); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t)); -+ uint64_t *t2 = table2 + ((uint32_t)2U * i + (uint32_t)2U) * (uint32_t)12U; -+ point_add(tmp, q2, t2); -+ memcpy(table2 + ((uint32_t)2U * i + (uint32_t)3U) * (uint32_t)12U, -+ tmp, -+ (uint32_t)12U * sizeof(uint64_t));); -+ uint64_t tmp0[12U] = { 0U }; -+ uint32_t i0 = (uint32_t)255U; -+ uint64_t bits_c = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, i0, (uint32_t)5U); -+ uint32_t bits_l32 = (uint32_t)bits_c; -+ const uint64_t -+ *a_bits_l = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l32 * (uint32_t)12U; -+ memcpy(res, (uint64_t *)a_bits_l, (uint32_t)12U * sizeof(uint64_t)); -+ uint32_t i1 = (uint32_t)255U; -+ uint64_t bits_c0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, i1, (uint32_t)5U); -+ uint32_t bits_l320 = (uint32_t)bits_c0; -+ const uint64_t *a_bits_l0 = table2 + bits_l320 * (uint32_t)12U; -+ memcpy(tmp0, (uint64_t *)a_bits_l0, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp0); -+ uint64_t tmp1[12U] = { 0U }; -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)51U; i++) { -+ KRML_MAYBE_FOR5(i2, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, point_double(res, res);); -+ uint32_t k = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar2, k, (uint32_t)5U); -+ uint32_t bits_l321 = (uint32_t)bits_l; -+ const uint64_t *a_bits_l1 = table2 + bits_l321 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l1, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ uint32_t k0 = (uint32_t)255U - (uint32_t)5U * i - (uint32_t)5U; -+ uint64_t bits_l0 = Hacl_Bignum_Lib_bn_get_bits_u64((uint32_t)4U, scalar1, k0, (uint32_t)5U); -+ uint32_t bits_l322 = (uint32_t)bits_l0; -+ const uint64_t -+ *a_bits_l2 = Hacl_P256_PrecompTable_precomp_basepoint_table_w5 + bits_l322 * (uint32_t)12U; -+ memcpy(tmp1, (uint64_t *)a_bits_l2, (uint32_t)12U * sizeof(uint64_t)); -+ point_add(res, res, tmp1); -+ } -+} -+ -+static inline uint64_t -+bn_is_lt_order_mask4(uint64_t *f) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, f, tmp); -+ return (uint64_t)0U - c; -+} -+ -+static inline uint64_t -+bn_is_lt_order_and_gt_zero_mask4(uint64_t *f) -+{ -+ uint64_t is_lt_order = bn_is_lt_order_mask4(f); -+ uint64_t is_eq_zero = bn_is_zero_mask4(f); -+ return is_lt_order & ~is_eq_zero; -+} -+ -+static inline void -+qmod_short(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ make_order(tmp); -+ uint64_t c = bn_sub4(tmp, x, tmp); -+ bn_cmovznz4(res, c, tmp, x); -+} -+ -+static inline void -+qadd(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ bn_add_mod4(res, n, x, y); -+} -+ -+static inline void -+qmont_reduction(uint64_t *res, uint64_t *x) -+{ -+ uint64_t n[4U] = { 0U }; -+ make_order(n); -+ uint64_t c0 = (uint64_t)0U; -+ KRML_MAYBE_FOR4( -+ i0, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t qj = (uint64_t)0xccd1c8aaee00bc4fU * x[i0]; -+ uint64_t *res_j0 = x + i0; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t a_i = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = res_j0 + (uint32_t)4U * (uint32_t)0U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i, qj, c, res_i0); -+ uint64_t a_i0 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i0, qj, c, res_i1); -+ uint64_t a_i1 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i1, qj, c, res_i2); -+ uint64_t a_i2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = res_j0 + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Hacl_Bignum_Base_mul_wide_add2_u64(a_i2, qj, c, res_i); -+ } uint64_t r = c; -+ uint64_t c1 = r; -+ uint64_t *resb = x + (uint32_t)4U + i0; -+ uint64_t res_j = x[(uint32_t)4U + i0]; -+ c0 = Lib_IntTypes_Intrinsics_add_carry_u64(c0, c1, res_j, resb);); -+ memcpy(res, x + (uint32_t)4U, (uint32_t)4U * sizeof(uint64_t)); -+ uint64_t c00 = c0; -+ uint64_t tmp[4U] = { 0U }; -+ uint64_t c = (uint64_t)0U; -+ { -+ uint64_t t1 = res[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t t20 = n[(uint32_t)4U * (uint32_t)0U]; -+ uint64_t *res_i0 = tmp + (uint32_t)4U * (uint32_t)0U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t1, t20, res_i0); -+ uint64_t t10 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t t21 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U]; -+ uint64_t *res_i1 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t10, t21, res_i1); -+ uint64_t t11 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t t22 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U]; -+ uint64_t *res_i2 = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t11, t22, res_i2); -+ uint64_t t12 = res[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t t2 = n[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U]; -+ uint64_t *res_i = tmp + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_sub_borrow_u64(c, t12, t2, res_i); -+ } -+ uint64_t c1 = c; -+ uint64_t c2 = c00 - c1; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = res; -+ uint64_t x1 = (c2 & res[i]) | (~c2 & tmp[i]); -+ os[i] = x1;); -+} -+ -+static inline void -+from_qmont(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ memcpy(tmp, x, (uint32_t)4U * sizeof(uint64_t)); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qmul(uint64_t *res, uint64_t *x, uint64_t *y) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_mul4(tmp, x, y); -+ qmont_reduction(res, tmp); -+} -+ -+static inline void -+qsqr(uint64_t *res, uint64_t *x) -+{ -+ uint64_t tmp[8U] = { 0U }; -+ bn_sqr4(tmp, x); -+ qmont_reduction(res, tmp); -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ point_mul_g(pk, sk); -+ point_store(public_key, pk); -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key) -+{ -+ uint64_t tmp[16U] = { 0U }; -+ uint64_t *sk = tmp; -+ uint64_t *pk = tmp + (uint32_t)4U; -+ bool is_pk_valid = load_point_vartime(pk, their_pubkey); -+ bn_from_bytes_be4(sk, private_key); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(sk); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = sk; -+ uint64_t uu____0 = oneq[i]; -+ uint64_t x = uu____0 ^ (is_b_valid & (sk[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid; -+ uint64_t ss_proj[12U] = { 0U }; -+ if (is_pk_valid) { -+ point_mul(ss_proj, sk, pk); -+ point_store(shared_secret, ss_proj); -+ } -+ return is_sk_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_pk_valid; -+} -+ -+static inline void -+qinv(uint64_t *res, uint64_t *r) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *x6 = tmp; -+ uint64_t *x_11 = tmp + (uint32_t)4U; -+ uint64_t *x_101 = tmp + (uint32_t)8U; -+ uint64_t *x_111 = tmp + (uint32_t)12U; -+ uint64_t *x_1111 = tmp + (uint32_t)16U; -+ uint64_t *x_10101 = tmp + (uint32_t)20U; -+ uint64_t *x_101111 = tmp + (uint32_t)24U; -+ memcpy(x6, r, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_11, x6, r); -+ qmul(x_101, x6, x_11); -+ qmul(x_111, x6, x_101); -+ memcpy(x6, x_101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_1111, x_101, x6); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_10101, x6, r); -+ memcpy(x6, x_10101, (uint32_t)4U * sizeof(uint64_t)); -+ { -+ qsqr(x6, x6); -+ } -+ qmul(x_101111, x_101, x6); -+ qmul(x6, x_10101, x6); -+ uint64_t tmp1[4U] = { 0U }; -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, x_11); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR8(i, (uint32_t)0U, (uint32_t)8U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x6); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ KRML_MAYBE_FOR16(i, (uint32_t)0U, (uint32_t)16U, (uint32_t)1U, qsqr(x6, x6);); -+ qmul(x6, x6, tmp1); -+ memcpy(tmp1, x6, (uint32_t)4U * sizeof(uint64_t)); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)64U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ for (uint32_t i = (uint32_t)0U; i < (uint32_t)32U; i++) { -+ qsqr(tmp1, tmp1); -+ } -+ qmul(tmp1, tmp1, x6); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR9(i, (uint32_t)0U, (uint32_t)9U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR4(i, (uint32_t)0U, (uint32_t)4U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_111); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR10(i, (uint32_t)0U, (uint32_t)10U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_101111); -+ KRML_MAYBE_FOR2(i, (uint32_t)0U, (uint32_t)2U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR5(i, (uint32_t)0U, (uint32_t)5U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_11); -+ KRML_MAYBE_FOR3(i, (uint32_t)0U, (uint32_t)3U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, r); -+ KRML_MAYBE_FOR7(i, (uint32_t)0U, (uint32_t)7U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_10101); -+ KRML_MAYBE_FOR6(i, (uint32_t)0U, (uint32_t)6U, (uint32_t)1U, qsqr(tmp1, tmp1);); -+ qmul(tmp1, tmp1, x_1111); -+ memcpy(x6, tmp1, (uint32_t)4U * sizeof(uint64_t)); -+ memcpy(res, x6, (uint32_t)4U * sizeof(uint64_t)); -+} -+ -+static inline void -+qmul_mont(uint64_t *sinv, uint64_t *b, uint64_t *res) -+{ -+ uint64_t tmp[4U] = { 0U }; -+ from_qmont(tmp, b); -+ qmul(res, sinv, tmp); -+} -+ -+static inline bool -+ecdsa_verify_msg_as_qelem( -+ uint64_t *m_q, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t tmp[28U] = { 0U }; -+ uint64_t *pk = tmp; -+ uint64_t *r_q = tmp + (uint32_t)12U; -+ uint64_t *s_q = tmp + (uint32_t)16U; -+ uint64_t *u1 = tmp + (uint32_t)20U; -+ uint64_t *u2 = tmp + (uint32_t)24U; -+ bool is_pk_valid = load_point_vartime(pk, public_key); -+ bn_from_bytes_be4(r_q, signature_r); -+ bn_from_bytes_be4(s_q, signature_s); -+ uint64_t is_r_valid = bn_is_lt_order_and_gt_zero_mask4(r_q); -+ uint64_t is_s_valid = bn_is_lt_order_and_gt_zero_mask4(s_q); -+ bool -+ is_rs_valid = -+ is_r_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU && is_s_valid == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ if (!(is_pk_valid && is_rs_valid)) { -+ return false; -+ } -+ uint64_t sinv[4U] = { 0U }; -+ qinv(sinv, s_q); -+ qmul_mont(sinv, m_q, u1); -+ qmul_mont(sinv, r_q, u2); -+ uint64_t res[12U] = { 0U }; -+ point_mul_double_g(res, u1, u2, pk); -+ if (is_point_at_inf_vartime(res)) { -+ return false; -+ } -+ uint64_t x[4U] = { 0U }; -+ to_aff_point_x(x, res); -+ qmod_short(x, x); -+ bool res1 = bn_is_eq_vartime4(x, r_q); -+ return res1; -+} -+ -+static inline bool -+ecdsa_sign_msg_as_qelem( -+ uint8_t *signature, -+ uint64_t *m_q, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t rsdk_q[16U] = { 0U }; -+ uint64_t *r_q = rsdk_q; -+ uint64_t *s_q = rsdk_q + (uint32_t)4U; -+ uint64_t *d_a = rsdk_q + (uint32_t)8U; -+ uint64_t *k_q = rsdk_q + (uint32_t)12U; -+ bn_from_bytes_be4(d_a, private_key); -+ uint64_t is_b_valid0 = bn_is_lt_order_and_gt_zero_mask4(d_a); -+ uint64_t oneq0[4U] = { 0U }; -+ oneq0[0U] = (uint64_t)1U; -+ oneq0[1U] = (uint64_t)0U; -+ oneq0[2U] = (uint64_t)0U; -+ oneq0[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = d_a; -+ uint64_t uu____0 = oneq0[i]; -+ uint64_t x = uu____0 ^ (is_b_valid0 & (d_a[i] ^ uu____0)); -+ os[i] = x;); -+ uint64_t is_sk_valid = is_b_valid0; -+ bn_from_bytes_be4(k_q, nonce); -+ uint64_t is_b_valid = bn_is_lt_order_and_gt_zero_mask4(k_q); -+ uint64_t oneq[4U] = { 0U }; -+ oneq[0U] = (uint64_t)1U; -+ oneq[1U] = (uint64_t)0U; -+ oneq[2U] = (uint64_t)0U; -+ oneq[3U] = (uint64_t)0U; -+ KRML_MAYBE_FOR4(i, -+ (uint32_t)0U, -+ (uint32_t)4U, -+ (uint32_t)1U, -+ uint64_t *os = k_q; -+ uint64_t uu____1 = oneq[i]; -+ uint64_t x = uu____1 ^ (is_b_valid & (k_q[i] ^ uu____1)); -+ os[i] = x;); -+ uint64_t is_nonce_valid = is_b_valid; -+ uint64_t are_sk_nonce_valid = is_sk_valid & is_nonce_valid; -+ uint64_t p[12U] = { 0U }; -+ point_mul_g(p, k_q); -+ to_aff_point_x(r_q, p); -+ qmod_short(r_q, r_q); -+ uint64_t kinv[4U] = { 0U }; -+ qinv(kinv, k_q); -+ qmul(s_q, r_q, d_a); -+ from_qmont(m_q, m_q); -+ qadd(s_q, m_q, s_q); -+ qmul(s_q, kinv, s_q); -+ bn2_to_bytes_be4(signature, r_q, s_q); -+ uint64_t is_r_zero = bn_is_zero_mask4(r_q); -+ uint64_t is_s_zero = bn_is_zero_mask4(s_q); -+ uint64_t m = are_sk_nonce_valid & (~is_r_zero & ~is_s_zero); -+ bool res = m == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+ return res; -+} -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_sign_msg_as_qelem(signature, m_q, private_key, nonce); -+ return res; -+} -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s) -+{ -+ uint64_t m_q[4U] = { 0U }; -+ uint8_t mHash[32U] = { 0U }; -+ memcpy(mHash, msg, (uint32_t)32U * sizeof(uint8_t)); -+ uint8_t *mHash32 = mHash; -+ bn_from_bytes_be4(m_q, mHash32); -+ qmod_short(m_q, m_q); -+ bool res = ecdsa_verify_msg_as_qelem(m_q, public_key, signature_r, signature_s); -+ return res; -+} -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool -+Hacl_P256_validate_public_key(uint8_t *public_key) -+{ -+ uint64_t point_jac[12U] = { 0U }; -+ bool res = load_point_vartime(point_jac, public_key); -+ return res; -+} -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool -+Hacl_P256_validate_private_key(uint8_t *private_key) -+{ -+ uint64_t bn_sk[4U] = { 0U }; -+ bn_from_bytes_be4(bn_sk, private_key); -+ uint64_t res = bn_is_lt_order_and_gt_zero_mask4(bn_sk); -+ return res == (uint64_t)0xFFFFFFFFFFFFFFFFU; -+} -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint8_t pk0 = pk[0U]; -+ if (pk0 != (uint8_t)0x04U) { -+ return false; -+ } -+ memcpy(pk_raw, pk + (uint32_t)1U, (uint32_t)64U * sizeof(uint8_t)); -+ return true; -+} -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool -+Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw) -+{ -+ uint64_t xa[4U] = { 0U }; -+ uint64_t ya[4U] = { 0U }; -+ uint8_t *pk_xb = pk + (uint32_t)1U; -+ bool b = aff_point_decompress_vartime(xa, ya, pk); -+ if (b) { -+ memcpy(pk_raw, pk_xb, (uint32_t)32U * sizeof(uint8_t)); -+ bn_to_bytes_be4(pk_raw + (uint32_t)32U, ya); -+ } -+ return b; -+} -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ pk[0U] = (uint8_t)0x04U; -+ memcpy(pk + (uint32_t)1U, pk_raw, (uint32_t)64U * sizeof(uint8_t)); -+} -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void -+Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk) -+{ -+ uint8_t *pk_x = pk_raw; -+ uint8_t *pk_y = pk_raw + (uint32_t)32U; -+ uint64_t bn_f[4U] = { 0U }; -+ bn_from_bytes_be4(bn_f, pk_y); -+ uint64_t is_odd_f = bn_f[0U] & (uint64_t)1U; -+ pk[0U] = (uint8_t)is_odd_f + (uint8_t)0x02U; -+ memcpy(pk + (uint32_t)1U, pk_x, (uint32_t)32U * sizeof(uint8_t)); -+} -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool -+Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_i(public_key, private_key); -+} -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key) -+{ -+ return Hacl_Impl_P256_DH_ecp256dh_r(shared_secret, their_pubkey, private_key); -+} -+ -diff --git a/lib/freebl/verified/Hacl_P256.h b/lib/freebl/verified/Hacl_P256.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/Hacl_P256.h -@@ -0,0 +1,237 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_P256_H -+#define __Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+#include "lib_intrinsics.h" -+ -+/******************************************************************************* -+ -+ Verified C library for ECDSA and ECDH functions over the P-256 NIST curve. -+ -+ This module implements signing and verification, key validation, conversions -+ between various point representations, and ECDH key agreement. -+ -+*******************************************************************************/ -+ -+/*****************/ -+/* ECDSA signing */ -+/*****************/ -+ -+/** -+Create an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-sign combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ NOTE: The equivalent functions in OpenSSL and Fiat-Crypto both accept inputs -+ smaller than 32 bytes. These libraries left-pad the input with enough zeroes to -+ reach the minimum 32 byte size. Clients who need behavior identical to OpenSSL -+ need to perform the left-padding themselves. -+ -+ The function returns `true` for successful creation of an ECDSA signature and `false` otherwise. -+ -+ The outparam `signature` (R || S) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The arguments `private_key` and `nonce` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `nonce` are valid values: -+ • 0 < `private_key` < the order of the curve -+ • 0 < `nonce` < the order of the curve -+*/ -+bool -+Hacl_P256_ecdsa_sign_p256_without_hash( -+ uint8_t *signature, -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *private_key, -+ uint8_t *nonce); -+ -+/**********************/ -+/* ECDSA verification */ -+/**********************/ -+ -+/** -+Verify an ECDSA signature WITHOUT hashing first. -+ -+ This function is intended to receive a hash of the input. -+ For convenience, we recommend using one of the hash-and-verify combined functions above. -+ -+ The argument `msg` MUST be at least 32 bytes (i.e. `msg_len >= 32`). -+ -+ The function returns `true` if the signature is valid and `false` otherwise. -+ -+ The argument `msg` points to `msg_len` bytes of valid memory, i.e., uint8_t[msg_len]. -+ The argument `public_key` (x || y) points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The arguments `signature_r` and `signature_s` point to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `public_key` is valid -+*/ -+bool -+Hacl_P256_ecdsa_verif_without_hash( -+ uint32_t msg_len, -+ uint8_t *msg, -+ uint8_t *public_key, -+ uint8_t *signature_r, -+ uint8_t *signature_s); -+ -+/******************/ -+/* Key validation */ -+/******************/ -+ -+/** -+Public key validation. -+ -+ The function returns `true` if a public key is valid and `false` otherwise. -+ -+ The argument `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The public key (x || y) is valid (with respect to SP 800-56A): -+ • the public key is not the “point at infinity”, represented as O. -+ • the affine x and y coordinates of the point represented by the public key are -+ in the range [0, p – 1] where p is the prime defining the finite field. -+ • y^2 = x^3 + ax + b where a and b are the coefficients of the curve equation. -+ The last extract is taken from: https://neilmadden.blog/2017/05/17/so-how-do-you-validate-nist-ecdh-public-keys/ -+*/ -+bool Hacl_P256_validate_public_key(uint8_t *public_key); -+ -+/** -+Private key validation. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve -+*/ -+bool Hacl_P256_validate_private_key(uint8_t *private_key); -+ -+/******************************************************************************* -+ Parsing and Serializing public keys. -+ -+ A public key is a point (x, y) on the P-256 NIST curve. -+ -+ The point can be represented in the following three ways. -+ • raw = [ x || y ], 64 bytes -+ • uncompressed = [ 0x04 || x || y ], 65 bytes -+ • compressed = [ (0x02 for even `y` and 0x03 for odd `y`) || x ], 33 bytes -+ -+*******************************************************************************/ -+ -+/** -+Convert a public key from uncompressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_uncompressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from compressed to its raw form. -+ -+ The function returns `true` for successful conversion of a public key and `false` otherwise. -+ -+ The outparam `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ -+ The function also checks whether (x, y) is a valid point. -+*/ -+bool Hacl_P256_compressed_to_raw(uint8_t *pk, uint8_t *pk_raw); -+ -+/** -+Convert a public key from raw to its uncompressed form. -+ -+ The outparam `pk` points to 65 bytes of valid memory, i.e., uint8_t[65]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_uncompressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/** -+Convert a public key from raw to its compressed form. -+ -+ The outparam `pk` points to 33 bytes of valid memory, i.e., uint8_t[33]. -+ The argument `pk_raw` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ -+ The function DOESN'T check whether (x, y) is a valid point. -+*/ -+void Hacl_P256_raw_to_compressed(uint8_t *pk_raw, uint8_t *pk); -+ -+/******************/ -+/* ECDH agreement */ -+/******************/ -+ -+/** -+Compute the public key from the private key. -+ -+ The function returns `true` if a private key is valid and `false` otherwise. -+ -+ The outparam `public_key` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The private key is valid: -+ • 0 < `private_key` < the order of the curve. -+*/ -+bool Hacl_P256_dh_initiator(uint8_t *public_key, uint8_t *private_key); -+ -+/** -+Execute the diffie-hellmann key exchange. -+ -+ The function returns `true` for successful creation of an ECDH shared secret and -+ `false` otherwise. -+ -+ The outparam `shared_secret` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `their_pubkey` points to 64 bytes of valid memory, i.e., uint8_t[64]. -+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32]. -+ -+ The function also checks whether `private_key` and `their_pubkey` are valid. -+*/ -+bool -+Hacl_P256_dh_responder(uint8_t *shared_secret, uint8_t *their_pubkey, uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_P256_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_Bignum_Base.h b/lib/freebl/verified/internal/Hacl_Bignum_Base.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_Bignum_Base.h -@@ -0,0 +1,114 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_Bignum_Base_H -+#define __internal_Hacl_Bignum_Base_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_Krmllib.h" -+#include "Hacl_Krmllib.h" -+#include "internal/lib_intrinsics.h" -+ -+static inline uint32_t -+Hacl_Bignum_Base_mul_wide_add2_u32(uint32_t a, uint32_t b, uint32_t c_in, uint32_t *out) -+{ -+ uint32_t out0 = out[0U]; -+ uint64_t res = (uint64_t)a * (uint64_t)b + (uint64_t)c_in + (uint64_t)out0; -+ out[0U] = (uint32_t)res; -+ return (uint32_t)(res >> (uint32_t)32U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Base_mul_wide_add2_u64(uint64_t a, uint64_t b, uint64_t c_in, uint64_t *out) -+{ -+ uint64_t out0 = out[0U]; -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(a, b), -+ FStar_UInt128_uint64_to_uint128(c_in)), -+ FStar_UInt128_uint64_to_uint128(out0)); -+ out[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Lib_bn_get_bits_u64(uint32_t len, uint64_t *b, uint32_t i, uint32_t l) -+{ -+ uint32_t i1 = i / (uint32_t)64U; -+ uint32_t j = i % (uint32_t)64U; -+ uint64_t p1 = b[i1] >> j; -+ uint64_t ite; -+ if (i1 + (uint32_t)1U < len && (uint32_t)0U < j) { -+ ite = p1 | b[i1 + (uint32_t)1U] << ((uint32_t)64U - j); -+ } else { -+ ite = p1; -+ } -+ return ite & (((uint64_t)1U << l) - (uint64_t)1U); -+} -+ -+static inline uint64_t -+Hacl_Bignum_Addition_bn_add_eq_len_u64(uint32_t aLen, uint64_t *a, uint64_t *b, uint64_t *res) -+{ -+ uint64_t c = (uint64_t)0U; -+ for (uint32_t i = (uint32_t)0U; i < aLen / (uint32_t)4U; i++) { -+ uint64_t t1 = a[(uint32_t)4U * i]; -+ uint64_t t20 = b[(uint32_t)4U * i]; -+ uint64_t *res_i0 = res + (uint32_t)4U * i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t20, res_i0); -+ uint64_t t10 = a[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t t21 = b[(uint32_t)4U * i + (uint32_t)1U]; -+ uint64_t *res_i1 = res + (uint32_t)4U * i + (uint32_t)1U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t10, t21, res_i1); -+ uint64_t t11 = a[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t t22 = b[(uint32_t)4U * i + (uint32_t)2U]; -+ uint64_t *res_i2 = res + (uint32_t)4U * i + (uint32_t)2U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t11, t22, res_i2); -+ uint64_t t12 = a[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t t2 = b[(uint32_t)4U * i + (uint32_t)3U]; -+ uint64_t *res_i = res + (uint32_t)4U * i + (uint32_t)3U; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t12, t2, res_i); -+ } -+ for (uint32_t i = aLen / (uint32_t)4U * (uint32_t)4U; i < aLen; i++) { -+ uint64_t t1 = a[i]; -+ uint64_t t2 = b[i]; -+ uint64_t *res_i = res + i; -+ c = Lib_IntTypes_Intrinsics_add_carry_u64(c, t1, t2, res_i); -+ } -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_Bignum_Base_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics.h -@@ -0,0 +1,83 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_H -+#define __Hacl_IntTypes_Intrinsics_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_add_carry_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x + (uint64_t)cin + (uint64_t)y; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U); -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint32_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u32(uint32_t cin, uint32_t x, uint32_t y, uint32_t *r) -+{ -+ uint64_t res = (uint64_t)x - (uint64_t)y - (uint64_t)cin; -+ uint32_t c = (uint32_t)(res >> (uint32_t)32U) & (uint32_t)1U; -+ r[0U] = (uint32_t)res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x + cin + y; -+ uint64_t -+ c = (~FStar_UInt64_gte_mask(res, x) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ uint64_t res = x - y - cin; -+ uint64_t -+ c = -+ ((FStar_UInt64_gte_mask(res, x) & ~FStar_UInt64_eq_mask(res, x)) | (FStar_UInt64_eq_mask(res, x) & cin)) & (uint64_t)1U; -+ r[0U] = res; -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_IntTypes_Intrinsics_128.h -@@ -0,0 +1,72 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __Hacl_IntTypes_Intrinsics_128_H -+#define __Hacl_IntTypes_Intrinsics_128_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "Hacl_Krmllib.h" -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_add_carry_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_add_mod(FStar_UInt128_add_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(cin)), -+ FStar_UInt128_uint64_to_uint128(y)); -+ uint64_t c = FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)); -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+static inline uint64_t -+Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(uint64_t cin, uint64_t x, uint64_t y, uint64_t *r) -+{ -+ FStar_UInt128_uint128 -+ res = -+ FStar_UInt128_sub_mod(FStar_UInt128_sub_mod(FStar_UInt128_uint64_to_uint128(x), -+ FStar_UInt128_uint64_to_uint128(y)), -+ FStar_UInt128_uint64_to_uint128(cin)); -+ uint64_t -+ c = -+ FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(res, (uint32_t)64U)) & (uint64_t)1U; -+ r[0U] = FStar_UInt128_uint128_to_uint64(res); -+ return c; -+} -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __Hacl_IntTypes_Intrinsics_128_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_P256.h b/lib/freebl/verified/internal/Hacl_P256.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_P256.h -@@ -0,0 +1,56 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_H -+#define __internal_Hacl_P256_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+#include "internal/Hacl_P256_PrecompTable.h" -+#include "internal/Hacl_Krmllib.h" -+#include "internal/Hacl_Bignum_Base.h" -+#include "../Hacl_P256.h" -+//#include "lib_intrinsics.h" -+ -+bool Hacl_Impl_P256_DH_ecp256dh_i(uint8_t *public_key, uint8_t *private_key); -+ -+bool -+Hacl_Impl_P256_DH_ecp256dh_r( -+ uint8_t *shared_secret, -+ uint8_t *their_pubkey, -+ uint8_t *private_key); -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/Hacl_P256_PrecompTable.h -@@ -0,0 +1,508 @@ -+/* MIT License -+ * -+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation -+ * Copyright (c) 2022-2023 HACL* Contributors -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a copy -+ * of this software and associated documentation files (the "Software"), to deal -+ * in the Software without restriction, including without limitation the rights -+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -+ * copies of the Software, and to permit persons to whom the Software is -+ * furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in all -+ * copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -+ * SOFTWARE. -+ */ -+ -+#ifndef __internal_Hacl_P256_PrecompTable_H -+#define __internal_Hacl_P256_PrecompTable_H -+ -+#if defined(__cplusplus) -+extern "C" { -+#endif -+ -+#include -+#include "krml/internal/types.h" -+#include "krml/lowstar_endianness.h" -+#include "krml/internal/target.h" -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_64_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1499621593102562565U, -+ (uint64_t)16692369783039433128U, (uint64_t)15337520135922861848U, -+ (uint64_t)5455737214495366228U, (uint64_t)17827017231032529600U, -+ (uint64_t)12413621606240782649U, (uint64_t)2290483008028286132U, -+ (uint64_t)15752017553340844820U, (uint64_t)4846430910634234874U, -+ (uint64_t)10861682798464583253U, (uint64_t)15404737222404363049U, (uint64_t)363586619281562022U, -+ (uint64_t)9866710912401645115U, (uint64_t)1162548847543228595U, (uint64_t)7649967190445130486U, -+ (uint64_t)5212340432230915749U, (uint64_t)7572620550182916491U, (uint64_t)14876145112448665096U, -+ (uint64_t)2063227348838176167U, (uint64_t)3519435548295415847U, (uint64_t)8390400282019023103U, -+ (uint64_t)17666843593163037841U, (uint64_t)9450204148816496323U, (uint64_t)8483374507652916768U, -+ (uint64_t)6254661047265818424U, (uint64_t)16382127809582285023U, (uint64_t)125359443771153172U, -+ (uint64_t)1374336701588437897U, (uint64_t)11362596098420127726U, (uint64_t)2101654420738681387U, -+ (uint64_t)12772780342444840510U, (uint64_t)12546934328908550060U, -+ (uint64_t)8331880412333790397U, (uint64_t)11687262051473819904U, (uint64_t)8926848496503457587U, -+ (uint64_t)9603974142010467857U, (uint64_t)13199952163826973175U, (uint64_t)2189856264898797734U, -+ (uint64_t)11356074861870267226U, (uint64_t)2027714896422561895U, (uint64_t)5261606367808050149U, -+ (uint64_t)153855954337762312U, (uint64_t)6375919692894573986U, (uint64_t)12364041207536146533U, -+ (uint64_t)1891896010455057160U, (uint64_t)1568123795087313171U, (uint64_t)18138710056556660101U, -+ (uint64_t)6004886947510047736U, (uint64_t)4811859325589542932U, (uint64_t)3618763430148954981U, -+ (uint64_t)11434521746258554122U, (uint64_t)10086341535864049427U, -+ (uint64_t)8073421629570399570U, (uint64_t)12680586148814729338U, (uint64_t)9619958020761569612U, -+ (uint64_t)15827203580658384478U, (uint64_t)12832694810937550406U, -+ (uint64_t)14977975484447400910U, (uint64_t)5478002389061063653U, -+ (uint64_t)14731136312639060880U, (uint64_t)4317867687275472033U, (uint64_t)6642650962855259884U, -+ (uint64_t)2514254944289495285U, (uint64_t)14231405641534478436U, (uint64_t)4045448346091518946U, -+ (uint64_t)8985477013445972471U, (uint64_t)8869039454457032149U, (uint64_t)4356978486208692970U, -+ (uint64_t)10805288613335538577U, (uint64_t)12832353127812502042U, -+ (uint64_t)4576590051676547490U, (uint64_t)6728053735138655107U, (uint64_t)17814206719173206184U, -+ (uint64_t)79790138573994940U, (uint64_t)17920293215101822267U, (uint64_t)13422026625585728864U, -+ (uint64_t)5018058010492547271U, (uint64_t)110232326023384102U, (uint64_t)10834264070056942976U, -+ (uint64_t)15222249086119088588U, (uint64_t)15119439519142044997U, -+ (uint64_t)11655511970063167313U, (uint64_t)1614477029450566107U, (uint64_t)3619322817271059794U, -+ (uint64_t)9352862040415412867U, (uint64_t)14017522553242747074U, -+ (uint64_t)13138513643674040327U, (uint64_t)3610195242889455765U, (uint64_t)8371069193996567291U, -+ (uint64_t)12670227996544662654U, (uint64_t)1205961025092146303U, -+ (uint64_t)13106709934003962112U, (uint64_t)4350113471327723407U, -+ (uint64_t)15060941403739680459U, (uint64_t)13639127647823205030U, -+ (uint64_t)10790943339357725715U, (uint64_t)498760574280648264U, (uint64_t)17922071907832082887U, -+ (uint64_t)15122670976670152145U, (uint64_t)6275027991110214322U, (uint64_t)7250912847491816402U, -+ (uint64_t)15206617260142982380U, (uint64_t)3385668313694152877U, -+ (uint64_t)17522479771766801905U, (uint64_t)2965919117476170655U, (uint64_t)1553238516603269404U, -+ (uint64_t)5820770015631050991U, (uint64_t)4999445222232605348U, (uint64_t)9245650860833717444U, -+ (uint64_t)1508811811724230728U, (uint64_t)5190684913765614385U, (uint64_t)15692927070934536166U, -+ (uint64_t)12981978499190500902U, (uint64_t)5143491963193394698U, (uint64_t)7705698092144084129U, -+ (uint64_t)581120653055084783U, (uint64_t)13886552864486459714U, (uint64_t)6290301270652587255U, -+ (uint64_t)8663431529954393128U, (uint64_t)17033405846475472443U, (uint64_t)5206780355442651635U, -+ (uint64_t)12580364474736467688U, (uint64_t)17934601912005283310U, -+ (uint64_t)15119491731028933652U, (uint64_t)17848231399859044858U, -+ (uint64_t)4427673319524919329U, (uint64_t)2673607337074368008U, (uint64_t)14034876464294699949U, -+ (uint64_t)10938948975420813697U, (uint64_t)15202340615298669183U, -+ (uint64_t)5496603454069431071U, (uint64_t)2486526142064906845U, (uint64_t)4507882119510526802U, -+ (uint64_t)13888151172411390059U, (uint64_t)15049027856908071726U, -+ (uint64_t)9667231543181973158U, (uint64_t)6406671575277563202U, (uint64_t)3395801050331215139U, -+ (uint64_t)9813607433539108308U, (uint64_t)2681417728820980381U, (uint64_t)18407064643927113994U, -+ (uint64_t)7707177692113485527U, (uint64_t)14218149384635317074U, (uint64_t)3658668346206375919U, -+ (uint64_t)15404713991002362166U, (uint64_t)10152074687696195207U, -+ (uint64_t)10926946599582128139U, (uint64_t)16907298600007085320U, -+ (uint64_t)16544287219664720279U, (uint64_t)11007075933432813205U, -+ (uint64_t)8652245965145713599U, (uint64_t)7857626748965990384U, (uint64_t)5602306604520095870U, -+ (uint64_t)2525139243938658618U, (uint64_t)14405696176872077447U, -+ (uint64_t)18432270482137885332U, (uint64_t)9913880809120071177U, -+ (uint64_t)16896141737831216972U, (uint64_t)7484791498211214829U, -+ (uint64_t)15635259968266497469U, (uint64_t)8495118537612215624U, (uint64_t)4915477980562575356U, -+ (uint64_t)16453519279754924350U, (uint64_t)14462108244565406969U, -+ (uint64_t)14837837755237096687U, (uint64_t)14130171078892575346U, -+ (uint64_t)15423793222528491497U, (uint64_t)5460399262075036084U, -+ (uint64_t)16085440580308415349U, (uint64_t)26873200736954488U, (uint64_t)5603655807457499550U, -+ (uint64_t)3342202915871129617U, (uint64_t)1604413932150236626U, (uint64_t)9684226585089458974U, -+ (uint64_t)1213229904006618539U, (uint64_t)6782978662408837236U, (uint64_t)11197029877749307372U, -+ (uint64_t)14085968786551657744U, (uint64_t)17352273610494009342U, -+ (uint64_t)7876582961192434984U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_128_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)14619254753077084366U, -+ (uint64_t)13913835116514008593U, (uint64_t)15060744674088488145U, -+ (uint64_t)17668414598203068685U, (uint64_t)10761169236902342334U, -+ (uint64_t)15467027479157446221U, (uint64_t)14989185522423469618U, -+ (uint64_t)14354539272510107003U, (uint64_t)14298211796392133693U, -+ (uint64_t)13270323784253711450U, (uint64_t)13380964971965046957U, -+ (uint64_t)8686204248456909699U, (uint64_t)17434630286744937066U, (uint64_t)1355903775279084720U, -+ (uint64_t)7554695053550308662U, (uint64_t)11354971222741863570U, (uint64_t)564601613420749879U, -+ (uint64_t)8466325837259054896U, (uint64_t)10752965181772434263U, -+ (uint64_t)11405876547368426319U, (uint64_t)13791894568738930940U, -+ (uint64_t)8230587134406354675U, (uint64_t)12415514098722758608U, -+ (uint64_t)18414183046995786744U, (uint64_t)15508000368227372870U, -+ (uint64_t)5781062464627999307U, (uint64_t)15339429052219195590U, -+ (uint64_t)16038703753810741903U, (uint64_t)9587718938298980714U, (uint64_t)4822658817952386407U, -+ (uint64_t)1376351024833260660U, (uint64_t)1120174910554766702U, (uint64_t)1730170933262569274U, -+ (uint64_t)5187428548444533500U, (uint64_t)16242053503368957131U, (uint64_t)3036811119519868279U, -+ (uint64_t)1760267587958926638U, (uint64_t)170244572981065185U, (uint64_t)8063080791967388171U, -+ (uint64_t)4824892826607692737U, (uint64_t)16286391083472040552U, -+ (uint64_t)11945158615253358747U, (uint64_t)14096887760410224200U, -+ (uint64_t)1613720831904557039U, (uint64_t)14316966673761197523U, -+ (uint64_t)17411006201485445341U, (uint64_t)8112301506943158801U, (uint64_t)2069889233927989984U, -+ (uint64_t)10082848378277483927U, (uint64_t)3609691194454404430U, (uint64_t)6110437205371933689U, -+ (uint64_t)9769135977342231601U, (uint64_t)11977962151783386478U, -+ (uint64_t)18088718692559983573U, (uint64_t)11741637975753055U, (uint64_t)11110390325701582190U, -+ (uint64_t)1341402251566067019U, (uint64_t)3028229550849726478U, (uint64_t)10438984083997451310U, -+ (uint64_t)12730851885100145709U, (uint64_t)11524169532089894189U, -+ (uint64_t)4523375903229602674U, (uint64_t)2028602258037385622U, (uint64_t)17082839063089388410U, -+ (uint64_t)6103921364634113167U, (uint64_t)17066180888225306102U, -+ (uint64_t)11395680486707876195U, (uint64_t)10952892272443345484U, -+ (uint64_t)8792831960605859401U, (uint64_t)14194485427742325139U, -+ (uint64_t)15146020821144305250U, (uint64_t)1654766014957123343U, (uint64_t)7955526243090948551U, -+ (uint64_t)3989277566080493308U, (uint64_t)12229385116397931231U, -+ (uint64_t)13430548930727025562U, (uint64_t)3434892688179800602U, (uint64_t)8431998794645622027U, -+ (uint64_t)12132530981596299272U, (uint64_t)2289461608863966999U, -+ (uint64_t)18345870950201487179U, (uint64_t)13517947207801901576U, -+ (uint64_t)5213113244172561159U, (uint64_t)17632986594098340879U, (uint64_t)4405251818133148856U, -+ (uint64_t)11783009269435447793U, (uint64_t)9332138983770046035U, -+ (uint64_t)12863411548922539505U, (uint64_t)3717030292816178224U, -+ (uint64_t)10026078446427137374U, (uint64_t)11167295326594317220U, -+ (uint64_t)12425328773141588668U, (uint64_t)5760335125172049352U, (uint64_t)9016843701117277863U, -+ (uint64_t)5657892835694680172U, (uint64_t)11025130589305387464U, (uint64_t)1368484957977406173U, -+ (uint64_t)17361351345281258834U, (uint64_t)1907113641956152700U, -+ (uint64_t)16439233413531427752U, (uint64_t)5893322296986588932U, -+ (uint64_t)14000206906171746627U, (uint64_t)14979266987545792900U, -+ (uint64_t)6926291766898221120U, (uint64_t)7162023296083360752U, (uint64_t)14762747553625382529U, -+ (uint64_t)12610831658612406849U, (uint64_t)10462926899548715515U, -+ (uint64_t)4794017723140405312U, (uint64_t)5234438200490163319U, (uint64_t)8019519110339576320U, -+ (uint64_t)7194604241290530100U, (uint64_t)12626770134810813246U, -+ (uint64_t)10793074474236419890U, (uint64_t)11323224347913978783U, -+ (uint64_t)16831128015895380245U, (uint64_t)18323094195124693378U, -+ (uint64_t)2361097165281567692U, (uint64_t)15755578675014279498U, -+ (uint64_t)14289876470325854580U, (uint64_t)12856787656093616839U, -+ (uint64_t)3578928531243900594U, (uint64_t)3847532758790503699U, (uint64_t)8377953190224748743U, -+ (uint64_t)3314546646092744596U, (uint64_t)800810188859334358U, (uint64_t)4626344124229343596U, -+ (uint64_t)6620381605850876621U, (uint64_t)11422073570955989527U, -+ (uint64_t)12676813626484814469U, (uint64_t)16725029886764122240U, -+ (uint64_t)16648497372773830008U, (uint64_t)9135702594931291048U, -+ (uint64_t)16080949688826680333U, (uint64_t)11528096561346602947U, -+ (uint64_t)2632498067099740984U, (uint64_t)11583842699108800714U, (uint64_t)8378404864573610526U, -+ (uint64_t)1076560261627788534U, (uint64_t)13836015994325032828U, -+ (uint64_t)11234295937817067909U, (uint64_t)5893659808396722708U, -+ (uint64_t)11277421142886984364U, (uint64_t)8968549037166726491U, -+ (uint64_t)14841374331394032822U, (uint64_t)9967344773947889341U, (uint64_t)8799244393578496085U, -+ (uint64_t)5094686877301601410U, (uint64_t)8780316747074726862U, (uint64_t)9119697306829835718U, -+ (uint64_t)15381243327921855368U, (uint64_t)2686250164449435196U, -+ (uint64_t)16466917280442198358U, (uint64_t)13791704489163125216U, -+ (uint64_t)16955859337117924272U, (uint64_t)17112836394923783642U, -+ (uint64_t)4639176427338618063U, (uint64_t)16770029310141094964U, -+ (uint64_t)11049953922966416185U, (uint64_t)12012669590884098968U, -+ (uint64_t)4859326885929417214U, (uint64_t)896380084392586061U, (uint64_t)7153028362977034008U, -+ (uint64_t)10540021163316263301U, (uint64_t)9318277998512936585U, -+ (uint64_t)18344496977694796523U, (uint64_t)11374737400567645494U, -+ (uint64_t)17158800051138212954U, (uint64_t)18343197867863253153U, -+ (uint64_t)18204799297967861226U, (uint64_t)15798973531606348828U, -+ (uint64_t)9870158263408310459U, (uint64_t)17578869832774612627U, (uint64_t)8395748875822696932U, -+ (uint64_t)15310679007370670872U, (uint64_t)11205576736030808860U, -+ (uint64_t)10123429210002838967U, (uint64_t)5910544144088393959U, -+ (uint64_t)14016615653353687369U, (uint64_t)11191676704772957822U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_g_pow2_192_table_w4[192U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)7870395003430845958U, -+ (uint64_t)18001862936410067720U, (uint64_t)8006461232116967215U, (uint64_t)5921313779532424762U, -+ (uint64_t)10702113371959864307U, (uint64_t)8070517410642379879U, (uint64_t)7139806720777708306U, -+ (uint64_t)8253938546650739833U, (uint64_t)17490482834545705718U, (uint64_t)1065249776797037500U, -+ (uint64_t)5018258455937968775U, (uint64_t)14100621120178668337U, (uint64_t)8392845221328116213U, -+ (uint64_t)14630296398338540788U, (uint64_t)4268947906723414372U, (uint64_t)9231207002243517909U, -+ (uint64_t)14261219637616504262U, (uint64_t)7786881626982345356U, -+ (uint64_t)11412720751765882139U, (uint64_t)14119585051365330009U, -+ (uint64_t)15281626286521302128U, (uint64_t)6350171933454266732U, -+ (uint64_t)16559468304937127866U, (uint64_t)13200760478271693417U, -+ (uint64_t)6733381546280350776U, (uint64_t)3801404890075189193U, (uint64_t)2741036364686993903U, -+ (uint64_t)3218612940540174008U, (uint64_t)10894914335165419505U, -+ (uint64_t)11862941430149998362U, (uint64_t)4223151729402839584U, (uint64_t)2913215088487087887U, -+ (uint64_t)14562168920104952953U, (uint64_t)2170089393468287453U, -+ (uint64_t)10520900655016579352U, (uint64_t)7040362608949989273U, (uint64_t)8376510559381705307U, -+ (uint64_t)9142237200448131532U, (uint64_t)5696859948123854080U, (uint64_t)925422306716081180U, -+ (uint64_t)11155545953469186421U, (uint64_t)1888208646862572812U, -+ (uint64_t)11151095998248845721U, (uint64_t)15793503271680275267U, -+ (uint64_t)7729877044494854851U, (uint64_t)6235134673193032913U, (uint64_t)7364280682182401564U, -+ (uint64_t)5479679373325519985U, (uint64_t)17966037684582301763U, -+ (uint64_t)14140891609330279185U, (uint64_t)5814744449740463867U, (uint64_t)5652588426712591652U, -+ (uint64_t)774745682988690912U, (uint64_t)13228255573220500373U, (uint64_t)11949122068786859397U, -+ (uint64_t)8021166392900770376U, (uint64_t)7994323710948720063U, (uint64_t)9924618472877849977U, -+ (uint64_t)17618517523141194266U, (uint64_t)2750424097794401714U, -+ (uint64_t)15481749570715253207U, (uint64_t)14646964509921760497U, -+ (uint64_t)1037442848094301355U, (uint64_t)6295995947389299132U, (uint64_t)16915049722317579514U, -+ (uint64_t)10493877400992990313U, (uint64_t)18391008753060553521U, (uint64_t)483942209623707598U, -+ (uint64_t)2017775662838016613U, (uint64_t)5933251998459363553U, (uint64_t)11789135019970707407U, -+ (uint64_t)5484123723153268336U, (uint64_t)13246954648848484954U, (uint64_t)4774374393926023505U, -+ (uint64_t)14863995618704457336U, (uint64_t)13220153167104973625U, -+ (uint64_t)5988445485312390826U, (uint64_t)17580359464028944682U, (uint64_t)7297100131969874771U, -+ (uint64_t)379931507867989375U, (uint64_t)10927113096513421444U, (uint64_t)17688881974428340857U, -+ (uint64_t)4259872578781463333U, (uint64_t)8573076295966784472U, (uint64_t)16389829450727275032U, -+ (uint64_t)1667243868963568259U, (uint64_t)17730726848925960919U, -+ (uint64_t)11408899874569778008U, (uint64_t)3576527582023272268U, -+ (uint64_t)16492920640224231656U, (uint64_t)7906130545972460130U, -+ (uint64_t)13878604278207681266U, (uint64_t)41446695125652041U, (uint64_t)8891615271337333503U, -+ (uint64_t)2594537723613594470U, (uint64_t)7699579176995770924U, (uint64_t)147458463055730655U, -+ (uint64_t)12120406862739088406U, (uint64_t)12044892493010567063U, -+ (uint64_t)8554076749615475136U, (uint64_t)1005097692260929999U, (uint64_t)2687202654471188715U, -+ (uint64_t)9457588752176879209U, (uint64_t)17472884880062444019U, (uint64_t)9792097892056020166U, -+ (uint64_t)2525246678512797150U, (uint64_t)15958903035313115662U, -+ (uint64_t)11336038170342247032U, (uint64_t)11560342382835141123U, -+ (uint64_t)6212009033479929024U, (uint64_t)8214308203775021229U, (uint64_t)8475469210070503698U, -+ (uint64_t)13287024123485719563U, (uint64_t)12956951963817520723U, -+ (uint64_t)10693035819908470465U, (uint64_t)11375478788224786725U, -+ (uint64_t)16934625208487120398U, (uint64_t)10094585729115874495U, -+ (uint64_t)2763884524395905776U, (uint64_t)13535890148969964883U, -+ (uint64_t)13514657411765064358U, (uint64_t)9903074440788027562U, -+ (uint64_t)17324720726421199990U, (uint64_t)2273931039117368789U, (uint64_t)3442641041506157854U, -+ (uint64_t)1119853641236409612U, (uint64_t)12037070344296077989U, (uint64_t)581736433335671746U, -+ (uint64_t)6019150647054369174U, (uint64_t)14864096138068789375U, (uint64_t)6652995210998318662U, -+ (uint64_t)12773883697029175304U, (uint64_t)12751275631451845119U, -+ (uint64_t)11449095003038250478U, (uint64_t)1025805267334366480U, (uint64_t)2764432500300815015U, -+ (uint64_t)18274564429002844381U, (uint64_t)10445634195592600351U, -+ (uint64_t)11814099592837202735U, (uint64_t)5006796893679120289U, (uint64_t)6908397253997261914U, -+ (uint64_t)13266696965302879279U, (uint64_t)7768715053015037430U, (uint64_t)3569923738654785686U, -+ (uint64_t)5844853453464857549U, (uint64_t)1837340805629559110U, (uint64_t)1034657624388283114U, -+ (uint64_t)711244516069456460U, (uint64_t)12519286026957934814U, (uint64_t)2613464944620837619U, -+ (uint64_t)10003023321338286213U, (uint64_t)7291332092642881376U, (uint64_t)9832199564117004897U, -+ (uint64_t)3280736694860799890U, (uint64_t)6416452202849179874U, (uint64_t)7326961381798642069U, -+ (uint64_t)8435688798040635029U, (uint64_t)16630141263910982958U, -+ (uint64_t)17222635514422533318U, (uint64_t)9482787389178881499U, (uint64_t)836561194658263905U, -+ (uint64_t)3405319043337616649U, (uint64_t)2786146577568026518U, (uint64_t)7625483685691626321U, -+ (uint64_t)6728084875304656716U, (uint64_t)1140997959232544268U, (uint64_t)12847384827606303792U, -+ (uint64_t)1719121337754572070U, (uint64_t)12863589482936438532U, (uint64_t)3880712899640530862U, -+ (uint64_t)2748456882813671564U, (uint64_t)4775988900044623019U, (uint64_t)8937847374382191162U, -+ (uint64_t)3767367347172252295U, (uint64_t)13468672401049388646U, -+ (uint64_t)14359032216842397576U, (uint64_t)2002555958685443975U, -+ (uint64_t)16488678606651526810U, (uint64_t)11826135409597474760U, -+ (uint64_t)15296495673182508601U -+ }; -+ -+static const uint64_t -+ Hacl_P256_PrecompTable_precomp_basepoint_table_w5[384U] = { -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)0U, (uint64_t)8784043285714375740U, -+ (uint64_t)8483257759279461889U, (uint64_t)8789745728267363600U, (uint64_t)1770019616739251654U, -+ (uint64_t)15992936863339206154U, (uint64_t)10037038012062884956U, -+ (uint64_t)15197544864945402661U, (uint64_t)9615747158586711429U, (uint64_t)1U, -+ (uint64_t)18446744069414584320U, (uint64_t)18446744073709551615U, (uint64_t)4294967294U, -+ (uint64_t)10634854829044225757U, (uint64_t)351552716085025155U, (uint64_t)10645315080955407736U, -+ (uint64_t)3609262091244858135U, (uint64_t)15760741698986874125U, -+ (uint64_t)14936374388219697827U, (uint64_t)15751360096993017895U, -+ (uint64_t)18012233706239762398U, (uint64_t)1993877568177495041U, -+ (uint64_t)10345888787846536528U, (uint64_t)7746511691117935375U, -+ (uint64_t)14517043990409914413U, (uint64_t)14122549297570634151U, -+ (uint64_t)16934610359517083771U, (uint64_t)5724511325497097418U, (uint64_t)8983432969107448705U, -+ (uint64_t)2687429970334080245U, (uint64_t)16525396802810050288U, (uint64_t)7602596488871585854U, -+ (uint64_t)4813919589149203084U, (uint64_t)7680395813780804519U, (uint64_t)6687709583048023590U, -+ (uint64_t)18086445169104142027U, (uint64_t)9637814708330203929U, -+ (uint64_t)14785108459960679090U, (uint64_t)3838023279095023581U, (uint64_t)3555615526157830307U, -+ (uint64_t)5177066488380472871U, (uint64_t)18218186719108038403U, -+ (uint64_t)16281556341699656105U, (uint64_t)1524227924561461191U, (uint64_t)4148060517641909597U, -+ (uint64_t)2858290374115363433U, (uint64_t)8942772026334130620U, (uint64_t)3034451298319885113U, -+ (uint64_t)8447866036736640940U, (uint64_t)11204933433076256578U, -+ (uint64_t)18333595740249588297U, (uint64_t)8259597024804538246U, (uint64_t)9539734295777539786U, -+ (uint64_t)9797290423046626413U, (uint64_t)5777303437849646537U, (uint64_t)8739356909899132020U, -+ (uint64_t)14815960973766782158U, (uint64_t)15286581798204509801U, -+ (uint64_t)17597362577777019682U, (uint64_t)13259283710820519742U, -+ (uint64_t)10501322996899164670U, (uint64_t)1221138904338319642U, -+ (uint64_t)14586685489551951885U, (uint64_t)895326705426031212U, (uint64_t)14398171728560617847U, -+ (uint64_t)9592550823745097391U, (uint64_t)17240998489162206026U, (uint64_t)8085479283308189196U, -+ (uint64_t)14844657737893882826U, (uint64_t)15923425394150618234U, -+ (uint64_t)2997808084773249525U, (uint64_t)494323555453660587U, (uint64_t)1215695327517794764U, -+ (uint64_t)9476207381098391690U, (uint64_t)7480789678419122995U, (uint64_t)15212230329321082489U, -+ (uint64_t)436189395349576388U, (uint64_t)17377474396456660834U, (uint64_t)15237013929655017939U, -+ (uint64_t)11444428846883781676U, (uint64_t)5112749694521428575U, (uint64_t)950829367509872073U, -+ (uint64_t)17665036182057559519U, (uint64_t)17205133339690002313U, -+ (uint64_t)16233765170251334549U, (uint64_t)10122775683257972591U, -+ (uint64_t)3352514236455632420U, (uint64_t)9143148522359954691U, (uint64_t)601191684005658860U, -+ (uint64_t)13398772186646349998U, (uint64_t)15512696600132928431U, -+ (uint64_t)9128416073728948653U, (uint64_t)11233051033546138578U, (uint64_t)6769345682610122833U, -+ (uint64_t)10823233224575054288U, (uint64_t)9997725227559980175U, (uint64_t)6733425642852897415U, -+ (uint64_t)16302206918151466066U, (uint64_t)1669330822143265921U, (uint64_t)2661645605036546002U, -+ (uint64_t)17182558479745802165U, (uint64_t)1165082692376932040U, (uint64_t)9470595929011488359U, -+ (uint64_t)6142147329285324932U, (uint64_t)4829075085998111287U, (uint64_t)10231370681107338930U, -+ (uint64_t)9591876895322495239U, (uint64_t)10316468561384076618U, -+ (uint64_t)11592503647238064235U, (uint64_t)13395813606055179632U, (uint64_t)511127033980815508U, -+ (uint64_t)12434976573147649880U, (uint64_t)3425094795384359127U, (uint64_t)6816971736303023445U, -+ (uint64_t)15444670609021139344U, (uint64_t)9464349818322082360U, -+ (uint64_t)16178216413042376883U, (uint64_t)9595540370774317348U, (uint64_t)7229365182662875710U, -+ (uint64_t)4601177649460012843U, (uint64_t)5455046447382487090U, (uint64_t)10854066421606187521U, -+ (uint64_t)15913416821879788071U, (uint64_t)2297365362023460173U, (uint64_t)2603252216454941350U, -+ (uint64_t)6768791943870490934U, (uint64_t)15705936687122754810U, (uint64_t)9537096567546600694U, -+ (uint64_t)17580538144855035062U, (uint64_t)4496542856965746638U, (uint64_t)8444341625922124942U, -+ (uint64_t)12191263903636183168U, (uint64_t)17427332907535974165U, -+ (uint64_t)14307569739254103736U, (uint64_t)13900598742063266169U, -+ (uint64_t)7176996424355977650U, (uint64_t)5709008170379717479U, (uint64_t)14471312052264549092U, -+ (uint64_t)1464519909491759867U, (uint64_t)3328154641049602121U, (uint64_t)13020349337171136774U, -+ (uint64_t)2772166279972051938U, (uint64_t)10854476939425975292U, (uint64_t)1967189930534630940U, -+ (uint64_t)2802919076529341959U, (uint64_t)14792226094833519208U, -+ (uint64_t)14675640928566522177U, (uint64_t)14838974364643800837U, -+ (uint64_t)17631460696099549980U, (uint64_t)17434186275364935469U, -+ (uint64_t)2665648200587705473U, (uint64_t)13202122464492564051U, (uint64_t)7576287350918073341U, -+ (uint64_t)2272206013910186424U, (uint64_t)14558761641743937843U, (uint64_t)5675729149929979729U, -+ (uint64_t)9043135187561613166U, (uint64_t)11750149293830589225U, (uint64_t)740555197954307911U, -+ (uint64_t)9871738005087190699U, (uint64_t)17178667634283502053U, -+ (uint64_t)18046255991533013265U, (uint64_t)4458222096988430430U, (uint64_t)8452427758526311627U, -+ (uint64_t)13825286929656615266U, (uint64_t)13956286357198391218U, -+ (uint64_t)15875692916799995079U, (uint64_t)10634895319157013920U, -+ (uint64_t)13230116118036304207U, (uint64_t)8795317393614625606U, (uint64_t)7001710806858862020U, -+ (uint64_t)7949746088586183478U, (uint64_t)14677556044923602317U, -+ (uint64_t)11184023437485843904U, (uint64_t)11215864722023085094U, -+ (uint64_t)6444464081471519014U, (uint64_t)1706241174022415217U, (uint64_t)8243975633057550613U, -+ (uint64_t)15502902453836085864U, (uint64_t)3799182188594003953U, (uint64_t)3538840175098724094U, -+ (uint64_t)13240193491554624643U, (uint64_t)12365034249541329920U, -+ (uint64_t)2924326828590977357U, (uint64_t)5687195797140589099U, (uint64_t)16880427227292834531U, -+ (uint64_t)9691471435758991112U, (uint64_t)16642385273732487288U, -+ (uint64_t)12173806747523009914U, (uint64_t)13142722756877876849U, -+ (uint64_t)8370377548305121979U, (uint64_t)17988526053752025426U, (uint64_t)4818750752684100334U, -+ (uint64_t)5669241919350361655U, (uint64_t)4964810303238518540U, (uint64_t)16709712747671533191U, -+ (uint64_t)4461414404267448242U, (uint64_t)3971798785139504238U, (uint64_t)6276818948740422136U, -+ (uint64_t)1426735892164275762U, (uint64_t)7943622674892418919U, (uint64_t)9864274225563929680U, -+ (uint64_t)57815533745003233U, (uint64_t)10893588105168960233U, (uint64_t)15739162732907069535U, -+ (uint64_t)3923866849462073470U, (uint64_t)12279826158399226875U, (uint64_t)1533015761334846582U, -+ (uint64_t)15860156818568437510U, (uint64_t)8252625373831297988U, (uint64_t)9666953804812706358U, -+ (uint64_t)8767785238646914634U, (uint64_t)14382179044941403551U, -+ (uint64_t)10401039907264254245U, (uint64_t)8584860003763157350U, (uint64_t)3120462679504470266U, -+ (uint64_t)8670255778748340069U, (uint64_t)5313789577940369984U, (uint64_t)16977072364454789224U, -+ (uint64_t)12199578693972188324U, (uint64_t)18211098771672599237U, -+ (uint64_t)12868831556008795030U, (uint64_t)5310155061431048194U, -+ (uint64_t)18114153238435112606U, (uint64_t)14482365809278304512U, -+ (uint64_t)12520721662723001511U, (uint64_t)405943624021143002U, (uint64_t)8146944101507657423U, -+ (uint64_t)181739317780393495U, (uint64_t)81743892273670099U, (uint64_t)14759561962550473930U, -+ (uint64_t)4592623849546992939U, (uint64_t)6916440441743449719U, (uint64_t)1304610503530809833U, -+ (uint64_t)5464930909232486441U, (uint64_t)15414883617496224671U, (uint64_t)8129283345256790U, -+ (uint64_t)18294252198413739489U, (uint64_t)17394115281884857288U, -+ (uint64_t)7808348415224731235U, (uint64_t)13195566655747230608U, (uint64_t)8568194219353949094U, -+ (uint64_t)15329813048672122440U, (uint64_t)9604275495885785744U, (uint64_t)1577712551205219835U, -+ (uint64_t)15964209008022052790U, (uint64_t)15087297920782098160U, -+ (uint64_t)3946031512438511898U, (uint64_t)10050061168984440631U, -+ (uint64_t)11382452014533138316U, (uint64_t)6313670788911952792U, -+ (uint64_t)12015989229696164014U, (uint64_t)5946702628076168852U, (uint64_t)5219995658774362841U, -+ (uint64_t)12230141881068377972U, (uint64_t)12361195202673441956U, -+ (uint64_t)4732862275653856711U, (uint64_t)17221430380805252370U, -+ (uint64_t)15397525953897375810U, (uint64_t)16557437297239563045U, -+ (uint64_t)10101683801868971351U, (uint64_t)1402611372245592868U, (uint64_t)1931806383735563658U, -+ (uint64_t)10991705207471512479U, (uint64_t)861333583207471392U, (uint64_t)15207766844626322355U, -+ (uint64_t)9224628129811432393U, (uint64_t)3497069567089055613U, (uint64_t)11956632757898590316U, -+ (uint64_t)8733729372586312960U, (uint64_t)18091521051714930927U, (uint64_t)77582787724373283U, -+ (uint64_t)9922437373519669237U, (uint64_t)3079321456325704615U, (uint64_t)12171198408512478457U, -+ (uint64_t)17179130884012147596U, (uint64_t)6839115479620367181U, (uint64_t)4421032569964105406U, -+ (uint64_t)10353331468657256053U, (uint64_t)17400988720335968824U, -+ (uint64_t)17138855889417480540U, (uint64_t)4507980080381370611U, -+ (uint64_t)10703175719793781886U, (uint64_t)12598516658725890426U, -+ (uint64_t)8353463412173898932U, (uint64_t)17703029389228422404U, (uint64_t)9313111267107226233U, -+ (uint64_t)5441322942995154196U, (uint64_t)8952817660034465484U, (uint64_t)17571113341183703118U, -+ (uint64_t)7375087953801067019U, (uint64_t)13381466302076453648U, (uint64_t)3218165271423914596U, -+ (uint64_t)16956372157249382685U, (uint64_t)509080090049418841U, (uint64_t)13374233893294084913U, -+ (uint64_t)2988537624204297086U, (uint64_t)4979195832939384620U, (uint64_t)3803931594068976394U, -+ (uint64_t)10731535883829627646U, (uint64_t)12954845047607194278U, -+ (uint64_t)10494298062560667399U, (uint64_t)4967351022190213065U, -+ (uint64_t)13391917938145756456U, (uint64_t)951370484866918160U, (uint64_t)13531334179067685307U, -+ (uint64_t)12868421357919390599U, (uint64_t)15918857042998130258U, -+ (uint64_t)17769743831936974016U, (uint64_t)7137921979260368809U, -+ (uint64_t)12461369180685892062U, (uint64_t)827476514081935199U, (uint64_t)15107282134224767230U, -+ (uint64_t)10084765752802805748U, (uint64_t)3303739059392464407U, -+ (uint64_t)17859532612136591428U, (uint64_t)10949414770405040164U, -+ (uint64_t)12838613589371008785U, (uint64_t)5554397169231540728U, -+ (uint64_t)18375114572169624408U, (uint64_t)15649286703242390139U, -+ (uint64_t)2957281557463706877U, (uint64_t)14000350446219393213U, -+ (uint64_t)14355199721749620351U, (uint64_t)2730856240099299695U, -+ (uint64_t)17528131000714705752U, (uint64_t)2537498525883536360U, (uint64_t)6121058967084509393U, -+ (uint64_t)16897667060435514221U, (uint64_t)12367869599571112440U, -+ (uint64_t)3388831797050807508U, (uint64_t)16791449724090982798U, (uint64_t)2673426123453294928U, -+ (uint64_t)11369313542384405846U, (uint64_t)15641960333586432634U, -+ (uint64_t)15080962589658958379U, (uint64_t)7747943772340226569U, (uint64_t)8075023376199159152U, -+ (uint64_t)8485093027378306528U, (uint64_t)13503706844122243648U, (uint64_t)8401961362938086226U, -+ (uint64_t)8125426002124226402U, (uint64_t)9005399361407785203U, (uint64_t)6847968030066906634U, -+ (uint64_t)11934937736309295197U, (uint64_t)5116750888594772351U, (uint64_t)2817039227179245227U, -+ (uint64_t)17724206901239332980U, (uint64_t)4985702708254058578U, (uint64_t)5786345435756642871U, -+ (uint64_t)17772527414940936938U, (uint64_t)1201320251272957006U, -+ (uint64_t)15787430120324348129U, (uint64_t)6305488781359965661U, -+ (uint64_t)12423900845502858433U, (uint64_t)17485949424202277720U, -+ (uint64_t)2062237315546855852U, (uint64_t)10353639467860902375U, (uint64_t)2315398490451287299U, -+ (uint64_t)15394572894814882621U, (uint64_t)232866113801165640U, (uint64_t)7413443736109338926U, -+ (uint64_t)902719806551551191U, (uint64_t)16568853118619045174U, (uint64_t)14202214862428279177U, -+ (uint64_t)11719595395278861192U, (uint64_t)5890053236389907647U, (uint64_t)9996196494965833627U, -+ (uint64_t)12967056942364782577U, (uint64_t)9034128755157395787U, -+ (uint64_t)17898204904710512655U, (uint64_t)8229373445062993977U, -+ (uint64_t)13580036169519833644U -+ }; -+ -+#if defined(__cplusplus) -+} -+#endif -+ -+#define __internal_Hacl_P256_PrecompTable_H_DEFINED -+#endif -diff --git a/lib/freebl/verified/internal/lib_intrinsics.h b/lib/freebl/verified/internal/lib_intrinsics.h -new file mode 100644 ---- /dev/null -+++ b/lib/freebl/verified/internal/lib_intrinsics.h -@@ -0,0 +1,81 @@ -+#pragma once -+ -+#include -+ -+#if defined(__has_include) -+#if __has_include("config.h") -+#include "config.h" -+#endif -+#endif -+ -+#if !defined(HACL_CAN_COMPILE_INTRINSICS) || \ -+ (defined(__clang__) && (__clang_major__ < 5)) -+ -+#include "Hacl_IntTypes_Intrinsics.h" -+ -+#if defined(HACL_CAN_COMPILE_UINT128) -+ -+#include "Hacl_IntTypes_Intrinsics_128.h" -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_128_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4)) -+ -+#endif // defined(HACL_CAN_COMPILE_UINT128) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (Hacl_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4)) -+ -+#else // !defined(HACL_CAN_COMPILE_INTRINSICS) -+ -+#if defined(_MSC_VER) -+#include -+#else -+#include -+#endif -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u32(x1, x2, x3, x4) \ -+ (_addcarry_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_add_carry_u64(x1, x2, x3, x4) \ -+ (_addcarry_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+/* -+ GCC versions prior to 7.2 pass arguments to _subborrow_u{32,64} -+ in an incorrect order. -+ -+ See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81294 -+*/ -+#if defined(__GNUC__) && !defined(__clang__) && \ -+ (__GNUC__ < 7 || (__GNUC__ == 7 && (__GNUC_MINOR__ < 2))) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x3, x2, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x3, x2, (long long unsigned int *)x4)) -+ -+#else -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u32(x1, x2, x3, x4) \ -+ (_subborrow_u32(x1, x2, x3, (unsigned int *)x4)) -+ -+#define Lib_IntTypes_Intrinsics_sub_borrow_u64(x1, x2, x3, x4) \ -+ (_subborrow_u64(x1, x2, x3, (long long unsigned int *)x4)) -+ -+#endif // GCC < 7.2 -+ -+#endif // !HACL_CAN_COMPILE_INTRINSICS -diff --git a/lib/freebl/verified/karamel/include/krml/internal/target.h b/lib/freebl/verified/karamel/include/krml/internal/target.h ---- a/lib/freebl/verified/karamel/include/krml/internal/target.h -+++ b/lib/freebl/verified/karamel/include/krml/internal/target.h -@@ -1,21 +1,21 @@ - /* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. - Licensed under the Apache 2.0 License. */ - - #ifndef __KRML_TARGET_H - #define __KRML_TARGET_H - --#include -+#include -+#include -+#include -+#include - #include - #include --#include --#include --#include --#include -+#include - - /* Since KaRaMeL emits the inline keyword unconditionally, we follow the - * guidelines at https://gcc.gnu.org/onlinedocs/gcc/Inline.html and make this - * __inline__ to ensure the code compiles with -std=c90 and earlier. */ - #ifdef __GNUC__ - #define inline __inline__ - #endif - -@@ -52,16 +52,29 @@ - #ifndef KRML_HOST_FREE - #define KRML_HOST_FREE free - #endif - - #ifndef KRML_HOST_IGNORE - #define KRML_HOST_IGNORE(x) (void)(x) - #endif - -+#ifndef KRML_NOINLINE -+#if defined(_MSC_VER) -+#define KRML_NOINLINE __declspec(noinline) -+#elif defined(__GNUC__) -+#define KRML_NOINLINE __attribute__((noinline)) -+#else -+#define KRML_NOINLINE -+#warning "The KRML_NOINLINE macro is not defined for this toolchain!" -+#warning "The compiler may defeat side-channel resistance with optimizations." -+#warning "Please locate target.h and try to fill it out with a suitable definition for this compiler." -+#endif -+#endif -+ - #ifndef KRML_PRE_ALIGN - #ifdef _MSC_VER - #define KRML_PRE_ALIGN(X) __declspec(align(X)) - #else - #define KRML_PRE_ALIGN(X) - #endif - #endif - -@@ -75,32 +88,36 @@ - - /* MinGW-W64 does not support C11 aligned_alloc, but it supports - * MSVC's _aligned_malloc. - */ - #ifndef KRML_ALIGNED_MALLOC - #ifdef __MINGW32__ - #include <_mingw.h> - #endif --#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -+#if ( \ -+ defined(_MSC_VER) || \ -+ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) - #define KRML_ALIGNED_MALLOC(X, Y) _aligned_malloc(Y, X) - #else - #define KRML_ALIGNED_MALLOC(X, Y) aligned_alloc(X, Y) - #endif - #endif - - /* Since aligned allocations with MinGW-W64 are done with - * _aligned_malloc (see above), such pointers must be freed with - * _aligned_free. - */ - #ifndef KRML_ALIGNED_FREE - #ifdef __MINGW32__ - #include <_mingw.h> - #endif --#if (defined(_MSC_VER) || (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) -+#if ( \ -+ defined(_MSC_VER) || \ -+ (defined(__MINGW32__) && defined(__MINGW64_VERSION_MAJOR))) - #define KRML_ALIGNED_FREE(X) _aligned_free(X) - #else - #define KRML_ALIGNED_FREE(X) free(X) - #endif - #endif - - #ifndef KRML_HOST_TIME - -@@ -148,17 +165,18 @@ krml_time(void) - "Maximum allocatable size exceeded, aborting before overflow at " \ - "%s:%d\n", \ - __FILE__, __LINE__); \ - KRML_HOST_EXIT(253); \ - } \ - } while (0) - - #if defined(_MSC_VER) && _MSC_VER < 1900 --#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) -+#define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) \ -+ _snprintf_s(buf, sz, _TRUNCATE, fmt, arg) - #else - #define KRML_HOST_SNPRINTF(buf, sz, fmt, arg) snprintf(buf, sz, fmt, arg) - #endif - - #if defined(__GNUC__) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ > 4)) - #define KRML_DEPRECATED(x) __attribute__((deprecated(x))) - #elif defined(__GNUC__) - /* deprecated attribute is not defined in GCC < 4.5. */ -@@ -167,16 +185,17 @@ krml_time(void) - #define KRML_DEPRECATED(x) __declspec(deprecated(x)) - #endif - - /* Macros for prettier unrolling of loops */ - #define KRML_LOOP1(i, n, x) \ - { \ - x \ - i += n; \ -+ (void)i; \ - } - - #define KRML_LOOP2(i, n, x) \ - KRML_LOOP1(i, n, x) \ - KRML_LOOP1(i, n, x) - - #define KRML_LOOP3(i, n, x) \ - KRML_LOOP2(i, n, x) \ -diff --git a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h ---- a/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h -+++ b/lib/freebl/verified/karamel/krmllib/dist/minimal/FStar_UInt_8_16_32_64.h -@@ -8,25 +8,35 @@ - - #include - #include - #include "krml/internal/compat.h" - #include "krml/lowstar_endianness.h" - #include "krml/internal/types.h" - #include "krml/internal/target.h" - --extern Prims_int FStar_UInt64_n; -+#if defined(__clang__) -+#pragma clang diagnostic push -+#pragma clang diagnostic ignored "-Wunused-function" -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic push -+#pragma GCC diagnostic ignored "-Wunused-function" -+#endif -+ -+extern krml_checked_int_t FStar_UInt64_n; - - extern bool FStar_UInt64_uu___is_Mk(uint64_t projectee); - --extern Prims_int FStar_UInt64___proj__Mk__item__v(uint64_t projectee); -+extern krml_checked_int_t FStar_UInt64___proj__Mk__item__v(uint64_t projectee); - --extern Prims_int FStar_UInt64_v(uint64_t x); -+extern krml_checked_int_t FStar_UInt64_v(uint64_t x); - --extern uint64_t FStar_UInt64_uint_to_t(Prims_int x); -+extern uint64_t FStar_UInt64_uint_to_t(krml_checked_int_t x); - - extern uint64_t FStar_UInt64_zero; - - extern uint64_t FStar_UInt64_one; - - extern uint64_t FStar_UInt64_minus(uint64_t a); - - extern uint32_t FStar_UInt64_n_minus_one; -@@ -58,25 +68,25 @@ FStar_UInt64_gte_mask(uint64_t a, uint64 - extern Prims_string FStar_UInt64_to_string(uint64_t uu___); - - extern Prims_string FStar_UInt64_to_string_hex(uint64_t uu___); - - extern Prims_string FStar_UInt64_to_string_hex_pad(uint64_t uu___); - - extern uint64_t FStar_UInt64_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt32_n; -+extern krml_checked_int_t FStar_UInt32_n; - - extern bool FStar_UInt32_uu___is_Mk(uint32_t projectee); - --extern Prims_int FStar_UInt32___proj__Mk__item__v(uint32_t projectee); -+extern krml_checked_int_t FStar_UInt32___proj__Mk__item__v(uint32_t projectee); - --extern Prims_int FStar_UInt32_v(uint32_t x); -+extern krml_checked_int_t FStar_UInt32_v(uint32_t x); - --extern uint32_t FStar_UInt32_uint_to_t(Prims_int x); -+extern uint32_t FStar_UInt32_uint_to_t(krml_checked_int_t x); - - extern uint32_t FStar_UInt32_zero; - - extern uint32_t FStar_UInt32_one; - - extern uint32_t FStar_UInt32_minus(uint32_t a); - - extern uint32_t FStar_UInt32_n_minus_one; -@@ -108,25 +118,25 @@ FStar_UInt32_gte_mask(uint32_t a, uint32 - extern Prims_string FStar_UInt32_to_string(uint32_t uu___); - - extern Prims_string FStar_UInt32_to_string_hex(uint32_t uu___); - - extern Prims_string FStar_UInt32_to_string_hex_pad(uint32_t uu___); - - extern uint32_t FStar_UInt32_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt16_n; -+extern krml_checked_int_t FStar_UInt16_n; - - extern bool FStar_UInt16_uu___is_Mk(uint16_t projectee); - --extern Prims_int FStar_UInt16___proj__Mk__item__v(uint16_t projectee); -+extern krml_checked_int_t FStar_UInt16___proj__Mk__item__v(uint16_t projectee); - --extern Prims_int FStar_UInt16_v(uint16_t x); -+extern krml_checked_int_t FStar_UInt16_v(uint16_t x); - --extern uint16_t FStar_UInt16_uint_to_t(Prims_int x); -+extern uint16_t FStar_UInt16_uint_to_t(krml_checked_int_t x); - - extern uint16_t FStar_UInt16_zero; - - extern uint16_t FStar_UInt16_one; - - extern uint16_t FStar_UInt16_minus(uint16_t a); - - extern uint32_t FStar_UInt16_n_minus_one; -@@ -158,25 +168,25 @@ FStar_UInt16_gte_mask(uint16_t a, uint16 - extern Prims_string FStar_UInt16_to_string(uint16_t uu___); - - extern Prims_string FStar_UInt16_to_string_hex(uint16_t uu___); - - extern Prims_string FStar_UInt16_to_string_hex_pad(uint16_t uu___); - - extern uint16_t FStar_UInt16_of_string(Prims_string uu___); - --extern Prims_int FStar_UInt8_n; -+extern krml_checked_int_t FStar_UInt8_n; - - extern bool FStar_UInt8_uu___is_Mk(uint8_t projectee); - --extern Prims_int FStar_UInt8___proj__Mk__item__v(uint8_t projectee); -+extern krml_checked_int_t FStar_UInt8___proj__Mk__item__v(uint8_t projectee); - --extern Prims_int FStar_UInt8_v(uint8_t x); -+extern krml_checked_int_t FStar_UInt8_v(uint8_t x); - --extern uint8_t FStar_UInt8_uint_to_t(Prims_int x); -+extern uint8_t FStar_UInt8_uint_to_t(krml_checked_int_t x); - - extern uint8_t FStar_UInt8_zero; - - extern uint8_t FStar_UInt8_one; - - extern uint8_t FStar_UInt8_minus(uint8_t a); - - extern uint32_t FStar_UInt8_n_minus_one; -@@ -210,10 +220,18 @@ extern Prims_string FStar_UInt8_to_strin - extern Prims_string FStar_UInt8_to_string_hex(uint8_t uu___); - - extern Prims_string FStar_UInt8_to_string_hex_pad(uint8_t uu___); - - extern uint8_t FStar_UInt8_of_string(Prims_string uu___); - - typedef uint8_t FStar_UInt8_byte; - -+#if defined(__clang__) -+#pragma clang diagnostic pop -+#endif -+ -+#if defined(__GNUC__) -+#pragma GCC diagnostic pop -+#endif -+ - #define __FStar_UInt_8_16_32_64_H_DEFINED - #endif - diff --git a/nss-3.94-fix-ec-encoding.patch b/nss-3.94-fix-ec-encoding.patch new file mode 100644 index 0000000..f4361c9 --- /dev/null +++ b/nss-3.94-fix-ec-encoding.patch @@ -0,0 +1,107 @@ +diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h +--- a/lib/freebl/blapit.h ++++ b/lib/freebl/blapit.h +@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate + */ + + /* + ** The ECParams data structures can encode elliptic curve + ** parameters for both GFp and GF2m curves. + */ + + typedef enum { ec_params_explicit, +- ec_params_named ++ ec_params_named, ++ ec_params_edwards_named + } ECParamsType; + + typedef enum { ec_field_GFp = 1, + ec_field_GF2m, + ec_field_plain + } ECFieldType; + + struct ECFieldIDStr { +diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c +--- a/lib/freebl/ecdecode.c ++++ b/lib/freebl/ecdecode.c +@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const + * (the NIST P-521 curve) + */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, + ec_field_GFp, params)); + break; + + case SEC_OID_CURVE25519: + /* Populate params for Curve25519 */ ++ params->type = ec_params_edwards_named; + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, + ec_field_plain, + params)); + break; + + default: + break; + }; +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE + /* special note: We can't just use the first byte to distinguish + * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. + * Both are 0x04. */ + + /* Handle the non-DER encoded case. + * Some curves are always pressumed to be non-DER. + */ + if (pubKey->u.ec.publicValue.len == keyLen && +- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || ++ (pubKey->u.ec.ecParams.type == ec_params_edwards_named || + pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { + break; /* key was not DER encoded, no need to unwrap */ + } + + /* handle the encoded case */ + if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && + pubKey->u.ec.publicValue.len > keyLen) { + SECItem publicValue; +@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE + SEC_ASN1_GET(SEC_OctetStringTemplate), + &pubKey->u.ec.publicValue); + /* nope, didn't decode correctly */ + if ((rv != SECSuccess) || (publicValue.len != keyLen)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* we don't handle compressed points except in the case of ECCurve25519 */ +- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && ++ if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) && + (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { + crv = CKR_ATTRIBUTE_VALUE_INVALID; + break; + } + /* replace our previous with the decoded key */ + pubKey->u.ec.publicValue = publicValue; + break; + } +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + sftk_fatalError = PR_TRUE; + } + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_MapCryptError(PORT_GetError()); + break; + } + + if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || +- ecParams->fieldID.type == ec_field_plain) { ++ ecParams->type == ec_params_edwards_named) { + PORT_FreeArena(ecParams->arena, PR_TRUE); + crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, + sftk_item_expand(&ecPriv->publicValue)); + } else { + PORT_FreeArena(ecParams->arena, PR_TRUE); + SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, + &ecPriv->publicValue, + SEC_ASN1_GET(SEC_OctetStringTemplate)); diff --git a/nss.spec b/nss.spec index 3a06abd..43412fa 100644 --- a/nss.spec +++ b/nss.spec @@ -131,13 +131,12 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265 +Patch50: nss-3.94-fix-ec-encoding.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch -# NSS reversion patchtes -Patch300: nss-3.94-HACL-p256.patch - %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -299,7 +298,6 @@ popd pushd nss %autopatch -p1 -M 99 -%patch -P 300 -R -p1 popd # https://bugzilla.redhat.com/show_bug.cgi?id=1247353 From 7a963c96b2a3cadfd88ab36b9c9b6ab64723c758 Mon Sep 17 00:00:00 2001 From: Krenzelok Frantisek Date: Mon, 27 Nov 2023 12:25:31 +0100 Subject: [PATCH 28/28] Update NSS to 3.95.0 - remove nss-3.94-fix-ec-encoding.patch (upstreamed) --- .gitignore | 1 + nss-3.94-fix-ec-encoding.patch | 107 --------------------------------- nss.spec | 11 ++-- sources | 2 +- 4 files changed, 8 insertions(+), 113 deletions(-) delete mode 100644 nss-3.94-fix-ec-encoding.patch diff --git a/.gitignore b/.gitignore index 61e1690..3f34bb5 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,4 @@ TestUser51.cert /nss-3.92-with-nspr-4.35.tar.gz /nss-3.93-with-nspr-4.35.tar.gz /nss-3.94-with-nspr-4.35.tar.gz +/nss-3.95-with-nspr-4.35.tar.gz diff --git a/nss-3.94-fix-ec-encoding.patch b/nss-3.94-fix-ec-encoding.patch deleted file mode 100644 index f4361c9..0000000 --- a/nss-3.94-fix-ec-encoding.patch +++ /dev/null @@ -1,107 +0,0 @@ -diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h ---- a/lib/freebl/blapit.h -+++ b/lib/freebl/blapit.h -@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate - */ - - /* - ** The ECParams data structures can encode elliptic curve - ** parameters for both GFp and GF2m curves. - */ - - typedef enum { ec_params_explicit, -- ec_params_named -+ ec_params_named, -+ ec_params_edwards_named - } ECParamsType; - - typedef enum { ec_field_GFp = 1, - ec_field_GF2m, - ec_field_plain - } ECFieldType; - - struct ECFieldIDStr { -diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c ---- a/lib/freebl/ecdecode.c -+++ b/lib/freebl/ecdecode.c -@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-521 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, - ec_field_GFp, params)); - break; - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -+ params->type = ec_params_edwards_named; - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, - ec_field_plain, - params)); - break; - - default: - break; - }; -diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c ---- a/lib/softoken/pkcs11.c -+++ b/lib/softoken/pkcs11.c -@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - /* special note: We can't just use the first byte to distinguish - * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. - * Both are 0x04. */ - - /* Handle the non-DER encoded case. - * Some curves are always pressumed to be non-DER. - */ - if (pubKey->u.ec.publicValue.len == keyLen && -- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || -+ (pubKey->u.ec.ecParams.type == ec_params_edwards_named || - pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { - break; /* key was not DER encoded, no need to unwrap */ - } - - /* handle the encoded case */ - if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && - pubKey->u.ec.publicValue.len > keyLen) { - SECItem publicValue; -@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - SEC_ASN1_GET(SEC_OctetStringTemplate), - &pubKey->u.ec.publicValue); - /* nope, didn't decode correctly */ - if ((rv != SECSuccess) || (publicValue.len != keyLen)) { - crv = CKR_ATTRIBUTE_VALUE_INVALID; - break; - } - /* we don't handle compressed points except in the case of ECCurve25519 */ -- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && -+ if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) && - (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { - crv = CKR_ATTRIBUTE_VALUE_INVALID; - break; - } - /* replace our previous with the decoded key */ - pubKey->u.ec.publicValue = publicValue; - break; - } -diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c ---- a/lib/softoken/pkcs11c.c -+++ b/lib/softoken/pkcs11c.c -@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS - sftk_fatalError = PR_TRUE; - } - PORT_FreeArena(ecParams->arena, PR_TRUE); - crv = sftk_MapCryptError(PORT_GetError()); - break; - } - - if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || -- ecParams->fieldID.type == ec_field_plain) { -+ ecParams->type == ec_params_edwards_named) { - PORT_FreeArena(ecParams->arena, PR_TRUE); - crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, - sftk_item_expand(&ecPriv->publicValue)); - } else { - PORT_FreeArena(ecParams->arena, PR_TRUE); - SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &ecPriv->publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); diff --git a/nss.spec b/nss.spec index 43412fa..e7bb6ec 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.35.0 -%global nss_version 3.94.0 +%global nss_version 3.95.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 1 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+13] +%global nspr_release %[%baserelease+15] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -131,8 +131,6 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265 -Patch50: nss-3.94-fix-ec-encoding.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1086,6 +1084,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Nov 27 2023 Frantisek Krenzelok - 3.95.0-1 +- Update NSS to 3.95.0 + * Wed Oct 25 2023 Frantisek Krenzelok - 3.94.0-2 - revert HACL 256 code to fix binary compatibility issue. diff --git a/sources b/sources index fa784d4..0a41301 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.94-with-nspr-4.35.tar.gz) = 121180c80c635b0e3e9fa5d44297107d4c5da84879210e81da0f799a48e9ed1ea43e5c28d5cb53fd65218678b94b5db282b7ed0ee96482caa01493c39ed93c27 +SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd